CVE-2023-2142
Cross-Site Scripting vulnerability in nunjucks (npm)
What is CVE-2023-2142 About?
This vulnerability in Nunjucks versions prior to 3.2.4 allows attackers to bypass autoescape functionality and inject cross-site scripting (XSS) payloads. The flaw occurs when two user-controlled parameters are on the same line in views and a backslash character is used. This can lead to arbitrary client-side code execution, and exploitation is relatively straightforward with crafted input.
Affected Software
Technical Details
The vulnerability affects Nunjucks versions older than 3.2.4. It arises when the autoescape functionality is active, but two user-controlled parameters are rendered on the same line within a view template. An attacker can use a backslash (\) character in one parameter to escape the rendering context and then inject a cross-site scripting (XSS) payload via the second parameter. For example, if a template contains <script>let testObject = { lang: '{{ lang }}', place: '{{ place }}' };</script>, providing lang=jp\ and place=};alert(document.domain)// would result in the XSS payload being executed in the user's browser, bypassing the intended autoescaping.
What is the Impact of CVE-2023-2142?
Successful exploitation may allow attackers to execute arbitrary client-side script in the victim's browser, leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2023-2142?
Exploitation is of low complexity. The primary prerequisite is the application using a vulnerable Nunjucks version and rendering at least two user-controlled parameters on the same line without proper contextual escaping. No specific authentication is required if the attacker can control the input parameters that are reflected in the Nunjucks template. This is a remote vulnerability, typically exploited via a crafted URL or form submission. Privilege requirements are low. The special conditions include the specific template structure and the use of the backslash character to facilitate the bypass. The likelihood of exploitation is increased if an application widely uses Nunjucks with user-supplied data in templates, especially those with multiple parameters on a single line.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-2142?
About the Fix from Resolved Security
This patch updates the escaping logic to also escape backslashes (\), both in the escape map and regex, ensuring they are output safely as \. By doing so, it prevents input containing backslashes from breaking out of string contexts and potentially enabling injection attacks, which addresses the template injection vulnerability CVE-2023-2142. The accompanying tests verify that backslashes are now correctly escaped, closing the vector exploited by this vulnerability.
Available Upgrade Options
- nunjucks
- <3.2.4 → Upgrade to 3.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6
- https://osv.dev/vulnerability/GHSA-x77j-w7wf-fjmw
- https://github.com/mozilla/nunjucks
- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4
- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
- https://nvd.nist.gov/vuln/detail/CVE-2023-2142
- https://github.com/mozilla/nunjucks/pull/1437
What are Similar Vulnerabilities to CVE-2023-2142?
Similar Vulnerabilities: CVE-2021-32760 , CVE-2021-23340 , CVE-2020-11022 , CVE-2019-11358 , CVE-2018-1000632
