Vulnerability Report: GO-2023-1752

standard library

CVE-2023-24540
Affects: html/template
Published: May 05, 2023
Modified: May 20, 2024

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Affected Packages

Path

Go Versions

Symbols
html/template

before go1.19.9, from go1.20.0-0 before go1.20.4
- Template.Execute
- Template.ExecuteTemplate

Aliases

CVE-2023-24540

References

https://go.dev/issue/59721
https://go.dev/cl/491616
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
https://vuln.go.dev/ID/GO-2023-1752.json

Credits

Juho Nurminen of Mattermost

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL