CVE-2016-10547
cross-site scripting vulnerability in nunjucks (npm)
What is CVE-2016-10547 About?
This vulnerability is a cross-site scripting (XSS) flaw in `nunjucks` that occurs when specially structured user input in template variables is not properly escaped in auto-escape mode. Successful exploitation can lead to arbitrary client-side code execution, enabling various browser-based attacks. This XSS is relatively easy to exploit due to a simple bypass mechanism for escaping.
Affected Software
Technical Details
The vulnerability in nunjucks arises because the auto-escape mechanism fails to properly handle user input when an array is used for keys in a template variable. Specifically, if a developer passes a template variable like name[]=<script>alert(1)</script>, the nunjucks template engine, even in auto-escape mode, will not escape the HTML special characters within the <script> tag. This bypasses the intended sanitization, allowing the injected script to be rendered directly into the HTML output. When a user's browser processes this HTML, the embedded script executes within the context of the vulnerable web application, leading to a cross-site scripting attack.
What is the Impact of CVE-2016-10547?
Successful exploitation may allow attackers to inject arbitrary client-side scripts, steal sensitive information (e.g., session cookies), deface web pages, redirect users to malicious sites, or perform actions on behalf of the user within the application.
What is the Exploitability of CVE-2016-10547?
Exploitation of this vulnerability is of low complexity. It requires the ability to supply specially crafted user input that is then processed by a vulnerable nunjucks template in auto-escape mode. No authentication is explicitly required if the vulnerable input field is publicly accessible. The attack is remote, as it relies on injecting malicious data via a web interface. The primary constraint is that the application must use nunjucks with a vulnerable version and process user-supplied input in template variables. The likelihood of exploitation increases if the application has many user-controlled input fields rendered directly into templates without proper backend validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-10547?
Available Upgrade Options
- nunjucks
- <2.4.3 → Upgrade to 2.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mozilla/nunjucks/issues/835
- https://github.com/mozilla/nunjucks/issues/835
- https://github.com/matt-/nunjucks_test
- https://osv.dev/vulnerability/GHSA-f7ph-p5rv-phw2
- https://www.npmjs.com/advisories/147
- https://github.com/matt-/nunjucks_test
- https://github.com/advisories/GHSA-f7ph-p5rv-phw2
- https://nvd.nist.gov/vuln/detail/CVE-2016-10547
- https://nodesecurity.io/advisories/147
What are Similar Vulnerabilities to CVE-2016-10547?
Similar Vulnerabilities: CVE-2017-7610 , CVE-2017-7611 , CVE-2017-7612 , CVE-2017-7613 , CVE-2017-7614
