org.webjars.npm:nunjucks 2.4.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:nunjucks package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.webjars.npm:nunjucks is a WebJar for nunjucks Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the second parameter, when more than one user-controlled parameter is used on the same line in a view. Autoescaping can be bypassed by including a `\` in the user input string. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:nunjucks` to version 3.2.4 or higher.	[,3.2.4)
H Prototype Pollution org.webjars.npm:nunjucks is a WebJar for nunjucks Affected versions of this package are vulnerable to Prototype Pollution. via the `constructor` class in nunjucks/src/runtime.js. How to fix Prototype Pollution? Upgrade `org.webjars.npm:nunjucks` to version 3.2.3 or higher.	[,3.2.3)
H Cross-site Scripting (XSS) `nunjucks` is a powerful templating engine. Like many templating engines, it automatically HTML encodes any `string` value included in the template using the `{{ some-variable }}` notation. These variables are often user-generated, but the HTML Encoding protects the application from Cross-site Scripting (XSS) attacks. However, if the variable passed in is an array, no HTML encoding is applied, exposing an easy path to XSS. The risk of exploit is especially high given the fact `express`, `koa` and many other Node.js servers allow users to force a query parameter to be an array using the `param[]=value` notation. How to fix Cross-site Scripting (XSS)? Upgrade to `nunjucks` version 2.4.3 or newer.	[,2.4.3)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.webjars.npm:nunjucks is a WebJar for nunjucks

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the second parameter, when more than one user-controlled parameter is used on the same line in a view. Autoescaping can be bypassed by including a \ in the user input string.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:nunjucks to version 3.2.4 or higher.

[,3.2.4)

Prototype Pollution

org.webjars.npm:nunjucks is a WebJar for nunjucks

Affected versions of this package are vulnerable to Prototype Pollution. via the constructor class in nunjucks/src/runtime.js.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:nunjucks to version 3.2.3 or higher.

[,3.2.3)

Cross-site Scripting (XSS)

nunjucks is a powerful templating engine.

Like many templating engines, it automatically HTML encodes any string value included in the template using the {{ some-variable }} notation. These variables are often user-generated, but the HTML Encoding protects the application from Cross-site Scripting (XSS) attacks.

However, if the variable passed in is an array, no HTML encoding is applied, exposing an easy path to XSS. The risk of exploit is especially high given the fact express, koa and many other Node.js servers allow users to force a query parameter to be an array using the param[]=value notation.

How to fix Cross-site Scripting (XSS)?

Upgrade to nunjucks version 2.4.3 or newer.

[,2.4.3)

org.webjars.npm:nunjucks@2.4.2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?