Improper handling of JavaScript whitespace in html/template
CVE-2023-24540

9.8CRITICAL

Key Information:

Vendor: Go Standard Library
Status: Html/template
Vendor: CVE Published:; 11 May 2023

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2023-24540?

The vulnerability involves a failure to recognize certain valid JavaScript whitespace characters in the Go programming language. This oversight can lead to improper sanitization of templates containing these characters within execution contexts that involve actions. Developers using Go may find that the presence of whitespace characters outside of the expected set can result in security risks, highlighting the importance of rigorous input validation to ensure safe template processing.

Affected Version(s)

html/template 0 < 1.19.9

html/template 1.20.0-0 < 1.20.4

References

https://go.dev/issue/59721

https://go.dev/cl/491616

https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2023
Vulnerability Reserved
Jan 25, 2023

Credit

Juho Nurminen of Mattermost