CVE-2024-24785 in html-template
Summary
by MITRE • 03/06/2024
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/15/2026
This vulnerability exists within the go programming language ecosystem and specifically impacts applications utilizing the html/template package for rendering dynamic content. The issue stems from improper handling of error messages returned by MarshalJSON methods when these errors contain user-controlled data. When such errors are processed through the template engine, they can potentially bypass the automatic escaping mechanisms that protect against cross-site scripting attacks. The vulnerability represents a sophisticated bypass of security controls that are typically in place to prevent malicious data from being injected into templates.
The technical flaw manifests when applications use the html/template package to process data that may contain untrusted input, particularly in scenarios where MarshalJSON methods are invoked on user-supplied data structures. When these methods return errors containing user-controlled content, the error handling process can inadvertently expose this data to template processing without proper sanitization. This creates a pathway for attackers to craft inputs that, when processed through the MarshalJSON error handling, can manipulate the template rendering context. The vulnerability is classified under CWE-116 as improper encoding or escaping of output, and relates to CWE-79 which addresses cross-site scripting vulnerabilities.
The operational impact of this vulnerability is significant for web applications built with go that utilize the html/template package for rendering user-facing content. Attackers can exploit this weakness to inject malicious content into templates, potentially leading to cross-site scripting attacks, data exfiltration, or unauthorized actions within the application context. The vulnerability is particularly dangerous because it operates at the intersection of data serialization, error handling, and template processing, making it difficult to detect through conventional security scanning methods. It allows attackers to potentially manipulate the execution flow of template rendering processes, bypassing standard security controls that protect against malicious input.
Mitigation strategies should focus on implementing proper input validation and sanitization before data enters the MarshalJSON processing pipeline, ensuring that error messages containing user-controlled content are properly escaped before being processed by template engines. Applications should avoid directly incorporating user-supplied error messages into template contexts and instead use structured error handling that separates user data from template processing. Security best practices recommend implementing comprehensive logging of template processing errors and establishing strict validation controls for all data entering template rendering pipelines. Organizations should also consider updating to patched versions of the go standard library and implementing runtime monitoring to detect anomalous template processing behaviors that might indicate exploitation attempts. The vulnerability aligns with ATT&CK technique T1211 which involves privilege escalation through template injection, and T1068 which covers local privilege escalation via application vulnerabilities.