Security updates & advisories

When user-supplied input is concatenated directly into template strings rather than passed as isolated context variables, attackers can inject template syntax that executes on the server. In Python/Flask applications using Jinja2, payload patterns like {{7*7}} confirm vulnerability and chains like {{config.__class__.__init__.__globals__}} can lead to remote code execution. The same class of vulnerability exists across Twig (PHP), Smarty, Pebble (Java), and Velocity.

Affected patterns

• Jinja2 / Flask / Django (user input in template strings)
• Twig (PHP applications)
• Smarty (PHP CMS platforms)
• Pebble / Velocity (Java applications)

Remediation

Pass user data as context variables, never concatenate into template strings. Use sandboxed template environments where available. Apply input allowlisting for fields that interact with template logic.

The state parameter in OAuth 2.0 is the primary CSRF protection in authorization code flows. When missing or static, an attacker can craft a malicious redirect link that initiates an authorization with the victim's session, causing them to unknowingly link their identity to an attacker-controlled provider account. Variations of this attack enable account takeover when the application merges accounts by provider email without additional verification.

Affected patterns

• OAuth 2.0 authorization code flows without state validation
• Social login implementations (Google, GitHub, Microsoft)
• Applications that do not regenerate state per-request

Remediation

Generate a cryptographically random, per-request state parameter and validate the returned value matches before processing the authorization code. Use PKCE for public clients regardless of server-side state.

GraphQL introspection is a legitimate development feature that enumerates the full API schema. Leaving it enabled in production allows any visitor to query __schema and __type to map private fields, internal mutations, and data structures that were never intended to be publicly documented. Combined with other vulnerabilities, this significantly reduces the reconnaissance effort required for targeted attacks.

Affected patterns

• GraphQL APIs with introspection enabled in production
• Applications using Apollo Server (introspection on by default pre-3.x)
• Hasura, Prisma, and other auto-generated GraphQL APIs

Remediation

Disable introspection in production environments. In Apollo Server 3+, introspection is disabled by default for non-development environments. Apply field-level authorization independently — disabling introspection does not fix authorization issues.

The most dangerous CORS misconfiguration is a server that reflects any Origin header value back in the Access-Control-Allow-Origin response while also setting Access-Control-Allow-Credentials: true. This combination allows an attacker's page to make credentialed cross-origin requests and read the responses — including session data, PII, and internal API payloads. A related pattern accepts the null origin, which can be triggered from sandboxed iframes.

Affected patterns

• APIs that dynamically reflect the Origin header
• Applications combining allow-all origins with credentials
• Services accepting null origin with credentials

Remediation

Maintain an explicit allowlist of trusted origins. Never reflect the request Origin back without validation against that list. Never combine wildcard or reflected origins with Access-Control-Allow-Credentials: true.

Session cookies lacking the Secure attribute may be transmitted over unencrypted connections during mixed-content scenarios or network downgrades. Cookies without HttpOnly are readable by JavaScript, enabling theft via XSS. SameSite=None without Secure allows cross-site transmission. SameSite=Lax provides CSRF protection for most cases but requires explicit handling for POST-based flows. The combination of all three attributes provides defense-in-depth that significantly reduces cookie theft and CSRF risk.

Affected patterns

• Authentication cookies missing Secure flag on HTTPS sites
• Session tokens accessible via document.cookie
• Cookies using SameSite=None without Secure

Remediation

Set Secure on all cookies served over HTTPS. Set HttpOnly on all cookies that do not require JavaScript access. Set SameSite=Strict or SameSite=Lax based on your cross-site requirements. Review framework defaults — some set insecure defaults that must be explicitly overridden.