CVE-2023-29400: Improper handling of empty HTML attributes in html/template

Description

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Classification

CVE ID: CVE-2023-29400

Affected Products

Vendor: Go standard library

Product: html/template

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 43.08% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://go.dev/issue/59722
https://go.dev/cl/491617
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
https://pkg.go.dev/vuln/GO-2023-1753

Timeline

2024-12-14 00:30:15 UTC
CVE

Improper handling of empty HTML attributes in html/template