Backticks not treated as string delimiters in html/template
CVE-2023-24538

9.8CRITICAL

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 6 April 2023

Badges

👾 Exploit Exists

What is CVE-2023-24538?

The vulnerability arises from the improper handling of backticks (`) within JavaScript template literals in Go templates. This oversight allows for the termination of literals, potentially facilitating the injection of arbitrary JavaScript code through the contents of Go template actions. Due to the complexity of ES6 template literals, the Go programming team made the decision to disallow the use of Go template actions within them, as there is no safe way to permit this functionality. With the release of Go 1.21, a fix is introduced where parsing such templates will return an error, effectively mitigating this risk. However, users wishing to maintain previous behavior can use the GODEBUG flag, but must do so with caution due to potential security implications.

Affected Version(s)

html/template 0 < 1.19.8

html/template 1.20.0-0 < 1.20.3

References

https://go.dev/issue/59234

https://go.dev/cl/482079

https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 29, 2023
👾
Exploit known to exist
Sep 29, 2023
Vulnerability published
Apr 6, 2023
Vulnerability Reserved
Jan 25, 2023

Credit

Sohom Datta, Manipal Institute of Technology

Go Standard Library

Badges

What is CVE-2023-24538?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit