Vulnerability Report: GO-2024-2610

standard library

CVE-2024-24785
Affects: html/template
Published: Mar 05, 2024
Modified: May 20, 2024

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

Affected Packages

Path

Go Versions

Symbols
html/template

before go1.21.8, from go1.22.0-0 before go1.22.1
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2024-24785

References

https://go.dev/issue/65697
https://go.dev/cl/564196
https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
https://vuln.go.dev/ID/GO-2024-2610.json

Credits

RyotaK (https://ryotak.net)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL