Skip to content

XSS Attack with Express API

High
nebrelbug published GHSA-xrh7-m5pp-39r6 Jan 28, 2023

Package

npm Eta (npm)

Affected versions

<= 1.14.2

Patched versions

2.0.0

Description

Impact

What kind of vulnerability is it? Who is impacted?
XSS attack - anyone using the Express API is impacted

Patches

Has the problem been patched? What versions should users upgrade to?
The problem has been resolved. Users should upgrade to version 2.0.0.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?
Don't pass user supplied data directly to res.renderFile.

References

Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0

Severity

High

CVE ID

CVE-2023-23630

Weaknesses

No CWEs

Credits