CVE-2024-24785

Summary

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

Affected Software

VendorProductVersion RangeStatus
Go standard libraryhtml/template0 < 1.21.8affected
Go standard libraryhtml/template1.22.0-0 < 1.22.1affected

Weaknesses

  • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References