microsoft/PyRIT v0.12.1

v0.12.1

Repository: microsoft/PyRIT

Tag: v0.12.1

Published: 2026-04-09T22:52:15Z

Prerelease: no

Release notes:

v0.12.1 — Security Patch

This is a patch release that addresses a Jinja2 template injection vulnerability. All users of PyRIT 0.12.0 and earlier are encouraged to upgrade.

pip install --upgrade pyrit

What's changed

Security fix: Jinja2 Template Injection (SSTI)

PyRIT's template rendering used an unsandboxed Jinja2 Environment. Remote dataset loaders passed fetched data directly into SeedPrompt(value=...), which rendered it as a Jinja2 template in __post_init__. A poisoned dataset could exploit this for Python object traversal.

Mitigations in this release:

• Sandboxed rendering: All Jinja2 rendering now uses SandboxedEnvironment, blocking unsafe attribute access (__class__, __mro__, __subclasses__())
• Safe-by-default `SeedPrompt`: New is_jinja_template field (default False) auto-escapes values. Only trusted sources (YAML files loaded via from_yaml_file) opt in to template rendering.
• Vendored many-shot dataset: The many-shot jailbreaking dataset is now bundled locally, eliminating a runtime requests.get() to an external GitHub URL. fetch_many_shot_jailbreaking_dataset is

deprecated in favor of load_many_shot_jailbreaking_dataset (removal in 0.14.0).

Action required

• Upgrade: pip install --upgrade pyrit
• If you construct `SeedPrompt` with Jinja2 template syntax in your own code, add is_jinja_template=True to preserve rendering behavior. Without it, template syntax is now auto-escaped by default.
• If you call `fetch_many_shot_jailbreaking_dataset()`, switch to load_many_shot_jailbreaking_dataset().

Full list of changes

• FIX Mitigate Jinja2 Template Injection (SSTI) vulnerability (#1577) @romanlutz @adrian-gavrila

Full Changelog: https://github.com/microsoft/PyRIT/compare/v0.12.0...v0.12.1