CVE-2024-24785

Published: Mar 5, 2024

Modified: Mar 14, 2025

PUBLISHED

Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

Vendor	Product	Versions
Go standard library	html/template	affected `0 - < 1.21.8` affected `1.22.0-0 - < 1.22.1`

References

https://go.dev/issue/65697

https://go.dev/cl/564196

https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

https://pkg.go.dev/vuln/GO-2024-2610

https://security.netapp.com/advisory/ntap-20240329-0008/

http://www.openwall.com/lists/oss-security/2024/03/08/4

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-24785

Description

Affected Products

References