Glossary
SSTI (Server-Side Template Injection)
A vulnerability that allows injecting code into server-side template engines (Jinja2, Twig, Blade). SSTI occurs when user data is inserted directly into a template without sanitization. It can lead to file reading, system command execution, and full server compromise.
How SSTI happens
Server-Side Template Injection occurs when user-supplied data is interpreted by the template engine instead of being treated as text. The affected engines are everywhere: Jinja2 (Python), Twig and Blade (PHP), Freemarker (Java), Handlebars or EJS (Node.js). The classic test is injecting {{7*7}}: if the page renders 49, the engine evaluated the expression — and an attacker can usually go much further, often up to arbitrary code execution on the server (RCE).
Where it shows up in HR SaaS
HR and payroll software is particularly exposed because it generates a lot of personalized documents: candidate email templates, generated employment contracts, certificates, internal communication campaigns. Every 'customizable template' feature where a client can insert variables ({{first_name}}, {{salary}}) is a potential SSTI surface. If the rendering engine isn't sandboxed, a malicious user can go from a simple email template to reading the server's environment variables — secrets, API keys, database credentials.
How CleanIssue tests for SSTI
We identify every input that feeds a document or email rendering path, then test engine-specific payloads in a controlled way, without destructive exploitation. An SSTI finding always includes the evaluation proof (the famous 49), the identified engine, and the reachable impact level, with sandboxing or escaping recommendations suited to your stack.
Frequently asked questions
How severe is SSTI?
Often critical. Depending on the template engine and its configuration, SSTI can allow reading server files, exfiltrating environment secrets, or executing arbitrary code (RCE). In a multi-tenant SaaS, that can compromise every client's data.
How do you prevent SSTI?
Never concatenate user input into a template. Use sandboxed engines (e.g. Jinja2's SandboxedEnvironment), logic-less templates for client-provided content, and strictly limit the variables available at render time. Input validation alone is not enough.
What is the difference between SSTI and XSS?
XSS executes in the victim's browser; SSTI executes on your server. SSTI impact is therefore usually far greater: it targets the platform's infrastructure and data, not just one user's session.