Platform
go
Component
template
Fixed in
3.1.10
CVE-2024-22199 is a critical Cross-Site Scripting (XSS) vulnerability found in the gofiber/template package, a component used for rendering templates within the Fiber web framework. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft or account takeover. The vulnerability affects versions 3.1.0 up to, but not including, 3.1.9. A fix has been released in version 3.1.9, which enables autoescape by default.
The impact of this XSS vulnerability is significant. An attacker could inject arbitrary JavaScript code into a web page, which would then execute in the context of the user's browser. This could allow the attacker to steal sensitive information, such as cookies or session tokens, or to redirect the user to a malicious website. Furthermore, attackers could potentially deface the website or perform actions on behalf of the user without their knowledge. The ease of exploitation, combined with the potential for widespread impact, makes this a high-priority vulnerability to address. The use of gofiber/template in numerous Go web applications increases the potential attack surface.
This vulnerability was publicly disclosed on January 11, 2024. There are currently no known active campaigns exploiting this specific CVE, but the ease of exploitation and the widespread use of gofiber/template make it a potential target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the nature of the vulnerability and its public disclosure.
Exploit Status
EPSS
1.37% (80% percentile)
CVSS Vector
The primary mitigation for CVE-2024-22199 is to upgrade to version 3.1.9 or later of the gofiber/template package. This version includes a fix that enables autoescape by default, which effectively prevents the injection of malicious scripts. If upgrading immediately is not possible, consider implementing input validation and output encoding on user-supplied data before rendering it through the template engine. While not a complete solution, this can reduce the risk of exploitation. Review your application's template usage to ensure that user-supplied data is properly sanitized and escaped. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into a form field and verifying that the script is not executed.
Update the `gofiber/template` library to the latest available version. The vulnerability is resolved by configuring autoescape to `true` by default. Ensure your application uses a version of the library that has this setting enabled.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22199 is a critical XSS vulnerability in the gofiber/template package, allowing attackers to inject malicious scripts into web pages. It affects versions 3.1.0 through 3.1.8.
You are affected if your application uses gofiber/template version 3.1.0 through 3.1.8 and renders user-supplied data within templates without proper sanitization.
Upgrade to version 3.1.9 or later of the gofiber/template package. This enables autoescape by default, mitigating the XSS risk.
While there are no confirmed active campaigns, the vulnerability's ease of exploitation makes it a potential target.
Refer to the gofiber/template repository on GitHub for updates and advisories: https://github.com/gofiber/template
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.