Skip to content

Update dependency nunjucks to v3.2.4 [SECURITY]#6

Open
chzauleck wants to merge 1 commit intorel-11_0from
renovate/npm-nunjucks-vulnerability
Open

Update dependency nunjucks to v3.2.4 [SECURITY]#6
chzauleck wants to merge 1 commit intorel-11_0from
renovate/npm-nunjucks-vulnerability

Conversation

@chzauleck
Copy link
Owner

@chzauleck chzauleck commented Dec 10, 2025

This PR contains the following updates:

Package Change Age Confidence
nunjucks 3.2.2 -> 3.2.4 age confidence

GitHub Vulnerability Alerts

CVE-2023-2142

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//

Patches

The issue was patched in version 3.2.4.

References

Nunjucks autoescape bypass leads to cross site scripting

CVE-2023-2142 / GHSA-x77j-w7wf-fjmw

More information

Details

Impact

In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash \ character.

Example

If the user-controlled parameters were used in the views similar to the following:

<script>
let testObject = { lang: '', place: '' };
</script>

It is possible to inject XSS payload using the below parameters:

https://<application-url>/?lang=jp\&place=};alert(document.domain)//
Patches

The issue was patched in version 3.2.4.

References

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

mozilla/nunjucks (nunjucks)

v3.2.4

Compare Source

  • HTML encode backslashes when expressions are passed through the escape
    filter (including when this is done automatically with autoescape). Merge
    of #​1437.

v3.2.3

Compare Source

  • Add support for nested attributes on
    sort filter;
    respect throwOnUndefined if sort attribute is undefined.
  • Add base arg to
    int filter.
  • Move chokidar to peerDependencies and mark it optional in peerDependenciesMeta.
  • Fix prototype pollution issue for template variables. Merge of
    #​1330; fixes
    #​1331. Thanks
    ChenKS12138!

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chzauleck @renovate-bot