Miggo Logo

CVE-2021-23416: Cross-site Scripting in curly-bracket-parser

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.47285%
Published
8/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
curly-bracket-parsernpm<= 1.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from the parse function's handling of template variables. Key evidence:

  1. The function uses eval(name) to process numeric values, though this isn't directly XSS-related
  2. User-controlled values are inserted via _replaceAll() without any default HTML escaping
  3. Filters must be explicitly applied (via |filter syntax) for sanitization, but no default escaping filter exists
  4. The Snyk PoC shows direct injection of <script> tags through unfiltered variables
  5. The library's responsibility as a template engine requires output encoding by default, which is not implemented
  6. The vulnerability manifests when users don't manually apply HTML-escaping filters to every potentially dangerous variable

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** *urly-*r**k*t-p*rs*r. W**n us** *s * t*mpl*t* li*r*ry, it *o*s not prop*rly s*nitiz* t** us*r input.

Reasoning

T** *or* vuln*r**ility st*ms *rom t** p*rs* *un*tion's **n*lin* o* t*mpl*t* v*ri**l*s. K*y *vi**n**: *. T** *un*tion us*s *v*l(n*m*) to pro**ss num*ri* v*lu*s, t*ou** t*is isn't *ir**tly XSS-r*l*t** *. Us*r-*ontroll** v*lu*s *r* ins*rt** vi* _r*pl***