CVE-2021-23443: Cross-site Scripting in edge.js
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4692%
CWE
Published
9/22/2021
Updated
9/11/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
edge.js | npm | < 5.3.2 | 5.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from how non-string inputs (particularly arrays) were handled in the escape function. The pre-patch implementation:
- Used generic typing (T extends SafeValue) that preserved input types
- Only escaped strings and SafeValue instances
- Returned other types (like arrays/numbers) unmodified This allowed attackers to pass arrays containing malicious payloads that bypassed sanitization. The patch fixed this by:
- Changing return type to always be string
- Converting all non-SafeValue inputs to strings before escaping
- Adding tests demonstrating proper array/object handling Both the concrete implementation (Template.escape) and its interface (TemplateContract.escape) needed modification to enforce correct type handling.