Miggo Logo

CVE-2021-32818: Insecure template handling in haml-coffee

7.7

CVSS Score
3.1

Basic Information

EPSS Score
0.51177%
Published
5/17/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
haml-coffeenpm<= 1.14.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from haml-coffee's design that merges template data with engine configuration options via Express's render API. The express method is explicitly mentioned as the integration point for Express, making it a conduit for injecting malicious configurations. The compile function's handling of options like customHtmlEscape (used in RCE PoC) and escapeHtml (used in XSS PoC) directly enables the exploits. Both functions are central to the insecure mixing of data/configuration described in the advisory.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ml-*o**** is * J*v*S*ript t*mpl*tin* solution. **ml-*o**** mix*s pur* t*mpl*t* **t* wit* *n*in* *on*i*ur*tion options t*rou** t** *xpr*ss r*n**r *PI. Mor* sp**i*i**lly, **ml-*o**** supports ov*rri*in* * s*ri*s o* *TML **lp*r *un*tions t*rou** its *

Reasoning

T** vuln*r**ility st*ms *rom **ml-*o****'s **si*n t**t m*r**s t*mpl*t* **t* wit* *n*in* *on*i*ur*tion options vi* *xpr*ss's r*n**r *PI. T** `*xpr*ss` m*t*o* is *xpli*itly m*ntion** *s t** int**r*tion point *or *xpr*ss, m*kin* it * *on*uit *or inj**ti