nunjucks@3.1.6 vulnerabilities

A powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired)

Direct Vulnerabilities

Known vulnerabilities in the nunjucks package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

nunjucks is a powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired).

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the second parameter, when more than one user-controlled parameter is used on the same line in a view. Autoescaping can be bypassed by including a \ in the user input string.

How to fix Cross-site Scripting (XSS)?

Upgrade nunjucks to version 3.2.4 or higher.

<3.2.4
  • H
Prototype Pollution

nunjucks is a powerful templating engine with inheritance, asynchronous control, and more (jinja2 inspired).

Affected versions of this package are vulnerable to Prototype Pollution. via the constructor class in nunjucks/src/runtime.js.

How to fix Prototype Pollution?

Upgrade nunjucks to version 3.2.3 or higher.

<3.2.3