Miggo Logo

CVE-2023-2142: Nunjucks autoescape bypass leads to cross site scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.21092%
Published
4/20/2023
Updated
11/26/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nunjucksnpm< 3.2.43.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete HTML escaping in Nunjucks' autoescape mechanism. The commit diff shows:

  1. Backslash was added to escapeMap with HTML entity encoding
  2. escapeRegex was modified to include backslashes
  3. Tests were added for backslash escaping

This indicates the core vulnerability was in the escaping logic handled by lib.js's escape mechanisms. The autoescape feature relied on these patterns to neutralize special characters, and the absence of backslash handling allowed XSS bypass when combined with multiple user-controlled parameters in template interpolation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In Nunju*ks v*rsions prior to v*rsion *.*.*, it w*s possi*l* to *yp*ss t** r*stri*tions w*i** *r* provi*** *y t** *uto*s**p* *un*tion*lity. I* t**r* *r* two us*r-*ontroll** p*r*m*t*rs on t** s*m* lin* us** in t** vi*ws, it w*s possi*l* to

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *TML *s**pin* in Nunju*ks' *uto*s**p* m****nism. T** *ommit *i** s*ows: *. ***ksl*s* w*s ***** to *s**p*M*p wit* *TML *ntity *n*o*in* *. *s**p*R***x w*s mo*i*i** to in*lu** ***ksl*s**s *. T*sts w*r* ***** *or *