Miggo Logo

CVE-2021-23443: Cross-site Scripting in edge.js

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.4692%
Published
9/22/2021
Updated
9/11/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
edge.jsnpm< 5.3.25.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how non-string inputs (particularly arrays) were handled in the escape function. The pre-patch implementation:

  1. Used generic typing (T extends SafeValue) that preserved input types
  2. Only escaped strings and SafeValue instances
  3. Returned other types (like arrays/numbers) unmodified This allowed attackers to pass arrays containing malicious payloads that bypassed sanitization. The patch fixed this by:
  • Changing return type to always be string
  • Converting all non-SafeValue inputs to strings before escaping
  • Adding tests demonstrating proper array/object handling Both the concrete implementation (Template.escape) and its interface (TemplateContract.escape) needed modification to enforce correct type handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**** is * lo*i**l *n* **tt*ri*s in*lu*** t*mpl*t* *n*in* *or No**.js. T*is *****ts t** p**k*** ****.js ***or* *.*.*. * typ* *on*usion vuln*r**ility **n ** us** to *yp*ss input s*nitiz*tion w**n t** input to ** r*n**r** is *n *rr*y (inst*** o* * strin

Reasoning

T** vuln*r**ility st*mm** *rom *ow non-strin* inputs (p*rti*ul*rly *rr*ys) w*r* **n*l** in t** *s**p* *un*tion. T** pr*-p*t** impl*m*nt*tion: *. Us** **n*ri* typin* (T *xt*n*s S***V*lu*) t**t pr*s*rv** input typ*s *. Only *s**p** strin*s *n* S***V*lu