CVE-2020-7749 in osm-static-maps
Summary
by MITRE • 10/20/2020
This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ({{{ ... }}}). As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which gives opportunity for XSS or rendered on the server (puppeteer) which also gives opportunity for SSRF and Local File Read.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/21/2020
The vulnerability identified as CVE-2020-7749 resides within the osm-static-maps package, a widely used tool for generating static maps from OpenStreetMap data. This package processes user-provided input to create map images, but fails to implement proper input sanitization and output escaping mechanisms. The flaw manifests when user data is directly injected into templates without appropriate HTML escaping, creating a dangerous attack surface that can be exploited across multiple vectors. The vulnerability affects all versions of the package, indicating a fundamental design flaw that has persisted through multiple releases.
The core technical issue stems from improper handling of user input within template rendering processes. When user data is passed to the package's template system using the {{{ ... }}} syntax, the system does not escape special characters that could enable code injection. This pattern directly violates established security principles for input validation and output encoding, creating a pathway for malicious actors to inject arbitrary JavaScript code or HTML content. The vulnerability operates at the intersection of template injection and cross-site scripting, where the injected content can be rendered as HTML on client-side pages or executed server-side through puppeteer rendering.
The operational impact of this vulnerability extends beyond traditional cross-site scripting attacks to include server-side request forgery and local file system access. When the injected code executes within the puppeteer rendering context, attackers can leverage this to perform server-side requests to internal services or access local files that should remain protected. This dual nature of the vulnerability transforms what might initially appear as a client-side XSS issue into a more severe attack vector capable of compromising server infrastructure and accessing sensitive data. The attack surface is particularly concerning given that many applications using this package may not implement additional security measures to protect against such server-side code execution.
Security professionals should address this vulnerability by implementing proper input sanitization and output escaping mechanisms within the package. The fix requires ensuring that all user-provided data passed to templates undergoes appropriate HTML escaping before rendering. Organizations using this package should immediately upgrade to patched versions or implement additional security layers such as content security policies and input validation at the application level. This vulnerability aligns with CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection) classifications, and represents a clear violation of the principle of least privilege and secure coding practices. The ATT&CK framework categorizes this as a code injection technique that could lead to privilege escalation and lateral movement within affected systems, making it a critical security concern that requires immediate remediation.