NodeJS/nunjucks/1.3.3
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
https://www.npmjs.com/package/nunjucks
BSD
3 Security Vulnerabilities
Cross-Site Scripting in nunjucks
Affected versions of nunjucks
do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.
Proof of Concept
By using an array for the keys in a template var, escaping is bypassed.
javascript
name[]=<script>alert(1)</script>
A full PoC is available in the references section.
Recommendation
Update to version 2.4.3 or later.
Nunjucks autoescape bypass leads to cross site scripting
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks/pull/1437
- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4
- https://github.com/advisories/GHSA-x77j-w7wf-fjmw
- https://nvd.nist.gov/vuln/detail/CVE-2023-2142
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \
character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
XSS in autoescape mode
Nunjucks is a full featured templating engine for JavaScript.
Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as name[]=<script>alert(1)</script>
, it is possible to bypass autoescaping and inject content into the DOM.
58 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.1.0 | BSD-2-Clause | 3 | 2012-09-19 - 17:49 | almost 13 years |
0.1.0-a6 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-a5 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-a4 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-a3 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-a2 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-b1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |
0.1.0-a1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 11 years |