CVE-2021-23416: Cross-site Scripting in curly-bracket-parser
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47285%
CWE
Published
8/10/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
curly-bracket-parser | npm | <= 1.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability stems from the parse function's handling of template variables. Key evidence:
- The function uses eval(name) to process numeric values, though this isn't directly XSS-related
- User-controlled values are inserted via _replaceAll() without any default HTML escaping
- Filters must be explicitly applied (via |filter syntax) for sanitization, but no default escaping filter exists
- The Snyk PoC shows direct injection of <script> tags through unfiltered variables
- The library's responsibility as a template engine requires output encoding by default, which is not implemented
- The vulnerability manifests when users don't manually apply HTML-escaping filters to every potentially dangerous variable