## Mako Template Engine Exposes Path Traversal Vulnerability in `TemplateLookup.get_template()`
A critical path traversal vulnerability has been disclosed in the Mako templating engine, a core component used by major Python web frameworks. The flaw, tracked as GHSA-v92g-xgxw-vvmm, resides in the `TemplateLookup.get_template()` function, allowing attackers to potentially access sensitive files outside the intended template directory. The exploit hinges on a URI starting with `//`, such as `//../../../secret.txt`, which bypasses security controls due to an inconsistency in how leading slashes are handled.

The vulnerability stems from a mismatch between two internal slash-stripping implementations. While `Template.__init__` strips only one leading slash, `TemplateLookup.get_template()` strips all leading slashes. This discrepancy creates a path traversal condition, enabling unauthorized file system access. The issue was addressed in Mako version 1.3.11, which patches the logic to prevent this attack vector. The update is now being propagated via automated dependency managers like RenovateBot, signaling an urgent need for developers to review and merge security patches.

This security flaw places any Python web application using Mako for dynamic template rendering at direct risk. The vulnerability's simplicity and the widespread use of Mako in projects built with SQLAlchemy and other frameworks amplify its impact. Organizations must immediately verify their dependency versions and apply the update to mitigate the risk of data exfiltration or server compromise. The rapid release of the advisory and patch underscores the severity of the issue within the open-source security ecosystem.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, python, open-source, path-traversal
- **Credibility**: unverified
- **Published**: 2026-04-16 23:22:56
- **ID**: 68312
- **URL**: https://whisperx.ai/en/intel/68312