7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32818

GHSA ID

GHSA-m7mf-vm62-7x3q

EPSS Score

0.51177%

CWE

CWE-79

Published

5/17/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32818

CVE-2021-32818: Insecure template handling in haml-coffee

haml-coffee is a JavaScript templating solution. haml-coffee mixes pure template data with engine configuration options through the Express render API. More specifically, haml-coffee supports overriding a series of HTML helper functions through its configuration options. A vulnerable application that passes user controlled request objects to the haml-coffee template engine may introduce RCE vulnerabilities. Additionally control over the escapeHtml parameter through template configuration pollution ensures that haml-coffee would not sanitize template inputs that may result in reflected Cross Site Scripting attacks against downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of haml-coffee is currently 1.14.1. For complete details refer to the referenced GHSL-2021-025.

(GitHub Advisory)

7.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32818

GHSA ID

GHSA-m7mf-vm62-7x3q

EPSS Score

0.51177%

CWE

CWE-79

Published

5/17/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
haml-coffee	npm	<= 1.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from haml-coffee's design that merges template data with engine configuration options via Express's render API. The express method is explicitly mentioned as the integration point for Express, making it a conduit for injecting malicious configurations. The compile function's handling of options like customHtmlEscape (used in RCE PoC) and escapeHtml (used in XSS PoC) directly enables the exploits. Both functions are central to the insecure mixing of data/configuration described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ml-*o**** is * J*v*S*ript t*mpl*tin* solution. **ml-*o**** mix*s pur* t*mpl*t* **t* wit* *n*in* *on*i*ur*tion options t*rou** t** *xpr*ss r*n**r *PI. Mor* sp**i*i**lly, **ml-*o**** supports ov*rri*in* * s*ri*s o* *TML **lp*r *un*tions t*rou** its *

Reasoning

T** vuln*r**ility st*ms *rom **ml-*o****'s **si*n t**t m*r**s t*mpl*t* **t* wit* *n*in* *on*i*ur*tion options vi* *xpr*ss's r*n**r *PI. T** `*xpr*ss` m*t*o* is *xpli*itly m*ntion** *s t** int**r*tion point *or *xpr*ss, m*kin* it * *on*uit *or inj**ti

7.7

Basic Information

Concerned about an active attack path?

CVE-2021-32818: Insecure template handling in haml-coffee

7.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI