What is Server-Side Template Injection (SSTI)?

Server-Side Template Injection (SSTI) occurs when user-supplied input is concatenated directly into a template string that is later evaluated by the server-side template engine (e.g. Jinja2, Twig, Pebble). The engine processes the user's input as template code, not as plain text data.

The classic detection payload is {{7*7}} — if the server returns 49, the template engine evaluated the expression, confirming SSTI. From there, attackers use template-engine-specific syntax to access the object model and call OS commands, often achieving Remote Code Execution (RCE). For example, in Jinja2: {{ ''.__class__.__mro__[1].__subclasses__() }} allows traversing the Python object hierarchy to reach subprocess.Popen.

Fix: never construct templates from user input. Templates should be static files or strings defined by developers. Pass user data as variables to the template engine — the engine renders them as safe literal text, not executable code. If dynamic template generation is genuinely required, use a sandboxed sub-environment and disallow access to unsafe builtins.