NodeJS/nunjucks/1.3.3
A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)
https://www.npmjs.com/package/nunjucks
BSD
3 Security Vulnerabilities
Cross-Site Scripting in nunjucks
Affected versions of nunjucks
do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.
Proof of Concept
By using an array for the keys in a template var, escaping is bypassed.
javascript
name[]=<script>alert(1)</script>
A full PoC is available in the references section.
Recommendation
Update to version 2.4.3 or later.
Nunjucks autoescape bypass leads to cross site scripting
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks/pull/1437
- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4
- https://github.com/advisories/GHSA-x77j-w7wf-fjmw
Impact
In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \
character.
Example
If the user-controlled parameters were used in the views similar to the following:
<script>
let testObject = { lang: '{{ lang }}', place: '{{ place }}' };
</script>
It is possible to inject XSS payload using the below parameters:
https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches
The issue was patched in version 3.2.4.
References
XSS in autoescape mode
Nunjucks is a full featured templating engine for JavaScript.
Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as name[]=<script>alert(1)</script>
, it is possible to bypass autoescaping and inject content into the DOM.
58 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.2.4 | BSD-2-Clause | 2023-04-13 - 14:43 | about 1 year | |
3.2.3 | BSD-2-Clause | 1 | 2021-02-15 - 19:38 | over 3 years |
3.2.2 | BSD-2-Clause | 1 | 2020-07-20 - 04:38 | almost 4 years |
3.2.1 | BSD-2-Clause | 1 | 2020-03-17 - 13:48 | about 4 years |
3.2.0 | BSD-2-Clause | 1 | 2019-03-05 - 17:30 | about 5 years |
3.1.7 | BSD-2-Clause | 1 | 2019-01-12 - 18:40 | over 5 years |
3.1.6 | BSD-2-Clause | 1 | 2018-12-13 - 23:58 | over 5 years |
3.1.4 | BSD-2-Clause | 1 | 2018-11-09 - 05:15 | over 5 years |
3.1.3 | BSD-2-Clause | 1 | 2018-05-19 - 15:52 | almost 6 years |
3.1.2 | BSD-2-Clause | 1 | 2018-02-24 - 00:35 | about 6 years |
3.1.0 | BSD-2-Clause | 1 | 2018-02-20 - 04:38 | about 6 years |
3.0.1 | BSD-2-Clause | 1 | 2017-05-24 - 13:10 | almost 7 years |
3.0.0 | BSD-2-Clause | 1 | 2016-11-05 - 10:35 | over 7 years |
2.5.2 | BSD-2-Clause | 1 | 2016-09-14 - 09:13 | over 7 years |
2.5.1 | BSD-2-Clause | 1 | 2016-09-13 - 07:30 | over 7 years |
2.5.0 | BSD-2-Clause | 1 | 2016-09-07 - 20:38 | over 7 years |
2.4.3 | BSD-2-Clause | 1 | 2016-09-07 - 16:39 | over 7 years |
2.4.2 | BSD-2-Clause | 3 | 2016-04-15 - 21:30 | about 8 years |
2.4.1 | BSD-2-Clause | 3 | 2016-03-17 - 18:44 | about 8 years |
2.4.0 | BSD-2-Clause | 3 | 2016-03-10 - 21:20 | about 8 years |
2.3.0 | BSD-2-Clause | 3 | 2016-01-06 - 23:04 | over 8 years |
2.2.0 | BSD-2-Clause | 3 | 2015-11-23 - 20:27 | over 8 years |
2.1.0 | BSD-2-Clause | 3 | 2015-09-21 - 20:39 | over 8 years |
2.0.0 | BSD-2-Clause | 3 | 2015-08-28 - 00:11 | over 8 years |
1.3.4 | BSD | 3 | 2015-04-27 - 20:38 | about 9 years |
1.3.3 | BSD | 3 | 2015-04-03 - 21:43 | about 9 years |
1.3.1 | BSD | 3 | 2015-04-03 - 20:50 | about 9 years |
1.3.0 | BSD | 3 | 2015-04-03 - 16:43 | about 9 years |
1.2.0 | BSD | 3 | 2015-02-04 - 22:05 | over 9 years |
1.1.0 | BSD | 3 | 2014-09-30 - 17:36 | over 9 years |
1.0.7 | BSD | 3 | 2014-08-15 - 19:09 | almost 10 years |
1.0.6 | BSD | 3 | 2014-08-15 - 19:00 | almost 10 years |
1.0.5 | BSD | 3 | 2014-05-02 - 00:50 | about 10 years |
1.0.4 | BSD | 3 | 2014-04-04 - 20:47 | about 10 years |
1.0.3 | BSD | 3 | 2014-04-04 - 20:43 | about 10 years |
1.0.2 | BSD | 3 | 2014-03-25 - 19:35 | about 10 years |
1.0.1 | BSD | 3 | 2013-12-16 - 23:12 | over 10 years |
1.0.0 | BSD-2-Clause | 3 | 2013-10-24 - 20:09 | over 10 years |
0.1.10 | BSD-2-Clause | 3 | 2013-08-09 - 14:42 | almost 11 years |
0.1.9 | BSD-2-Clause | 3 | 2013-05-31 - 04:47 | almost 11 years |
0.1.8 | BSD-2-Clause | 3 | 2013-02-06 - 18:20 | over 11 years |
0.1.8-a | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.7 | BSD-2-Clause | 3 | 2012-12-12 - 17:01 | over 11 years |
0.1.6 | BSD-2-Clause | 3 | 2012-11-13 - 16:49 | over 11 years |
0.1.5 | BSD-2-Clause | 3 | 2012-10-11 - 18:27 | over 11 years |
0.1.4 | BSD-2-Clause | 3 | 2012-10-03 - 18:35 | over 11 years |
0.1.4-a | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.3 | BSD-2-Clause | 3 | 2012-10-01 - 19:07 | over 11 years |
0.1.2 | BSD-2-Clause | 3 | 2012-09-20 - 16:25 | over 11 years |
0.1.1 | BSD-2-Clause | 3 | 2012-09-20 - 16:25 | over 11 years |
0.1.0 | BSD-2-Clause | 3 | 2012-09-19 - 17:49 | over 11 years |
0.1.0-a6 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-a5 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-a4 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-a3 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-a2 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-b1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |
0.1.0-a1 | BSD-2-Clause | 3 | 2013-12-16 - 23:11 | over 10 years |