-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2023-39319 lies in the html/template package's parser, specifically how it handles special tags like '<script>', '<!--', and '</script>' when they appear within JavaScript literals in a <script> tag context. This could lead to premature termination of the script context and XSS.
pkg.go.dev/vuln/GO-2023-2043 URL was most informative, directly listing html/template.Template.Execute and html/template.Template.ExecuteTemplate as affected symbols. These are the public entry points that would be used to process a malicious template.https://go.dev/cl/526157) points to the actual code changes. While I couldn't fetch the diff directly using tools due to JavaScript requirements or tool limitations with Go commits, I identified the changed files from common knowledge of Go CLs and cross-referencing: src/html/template/js.go and src/html/template/transition.go.transition function in transition.go is responsible for state transitions during parsing, making it a prime candidate for the fix. The js.go file contains logic for JavaScript context determination, and jsValCtx is a key function there, likely modified to support the transition function's new logic.ae03f8053f830b2760301a4c099561390eb1e3c5, which references CL 526157 and issue #62197) confirms that the fix involves preventing html/template from treating occurrences of "<script", "<!--", or "</script" as starting or ending a <script> context if they are within JS literals. This aligns with changes in transition and jsValCtx.Therefore, Template.Execute and Template.ExecuteTemplate are the high-level functions that would appear in a profiler as they initiate the vulnerable process. The actual flawed logic and the fix reside in the internal functions html/template.transition and html/template.jsValCtx, which would also likely appear in a detailed profiler trace during exploitation or when the patched code path is exercised.
Ongoing coverage of React2Shell