nunjucks@2.3.0 vulnerabilities

A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)

Direct Vulnerabilities

Known vulnerabilities in the nunjucks package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

nunjucks is a powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired).

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the second parameter, when more than one user-controlled parameter is used on the same line in a view. Autoescaping can be bypassed by including a \ in the user input string.

How to fix Cross-site Scripting (XSS)?

Upgrade nunjucks to version 3.2.4 or higher.

<3.2.4
  • H
Prototype Pollution

nunjucks is a powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired).

Affected versions of this package are vulnerable to Prototype Pollution. via the constructor class in nunjucks/src/runtime.js.

How to fix Prototype Pollution?

Upgrade nunjucks to version 3.2.3 or higher.

<3.2.3
  • H
Cross-site Scripting (XSS)

nunjucks is a powerful templating engine.

Like many templating engines, it automatically HTML encodes any string value included in the template using the {{ some-variable }} notation. These variables are often user-generated, but the HTML Encoding protects the application from Cross-site Scripting (XSS) attacks.

However, if the variable passed in is an array, no HTML encoding is applied, exposing an easy path to XSS. The risk of exploit is especially high given the fact express, koa and many other Node.js servers allow users to force a query parameter to be an array using the param[]=value notation.

How to fix Cross-site Scripting (XSS)?

Upgrade to nunjucks version 2.4.3 or newer.

<2.4.3