CVE-2023-24539 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2023-24539?

CVE-2023-24539 has a CVSS score of 7.3 (HIGH). This is a cross-site scripting (XSS) vulnerability in Go's html/template package where angle brackets in CSS contexts aren't properly escaped. It affects Go applications using html/template with untrusted input in CSS contexts, potentially allowing attackers to inject malicious scripts.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Go's html/template package where angle brackets in CSS contexts aren't properly escaped. It affects Go applications using html/template with untrusted input in CSS contexts, potentially allowing attackers to inject malicious scripts.

💻 Affected Systems

Products:

Go programming language

Versions: Go versions before 1.20.4 and 1.19.9

Operating Systems: All operating systems running Go applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using html/template package with untrusted input in CSS contexts. Applications not using CSS contexts or not processing untrusted input are not vulnerable.

📦 What is this software?

Go by Golang

View all CVEs affecting Go →

Go by Golang

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full XSS exploitation leading to session hijacking, credential theft, or complete client-side compromise of users visiting vulnerable pages.

🟠

Likely Case

Limited XSS allowing attackers to steal session cookies or perform actions on behalf of authenticated users.

🟢

If Mitigated

No impact if proper input validation and output encoding are already implemented beyond the vulnerable template functions.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly vulnerable to XSS attacks from any visitor.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited and tooling exists for automated exploitation. The specific injection pattern requires specific template structures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.20.4 and 1.19.9

Vendor Advisory: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Restart Required: Yes

Instructions:

1. Update Go to version 1.20.4 or 1.19.9. 2. Recompile and redeploy all affected applications. 3. Restart services using the updated binaries.

🔧 Temporary Workarounds

Input validation for CSS contexts

all

Implement strict input validation for any data that will be placed in CSS contexts within templates

Avoid untrusted input in CSS

all

Refactor templates to avoid placing untrusted user input in CSS contexts entirely

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to mitigate XSS impact
Use additional output encoding libraries specifically for CSS contexts

🔍 How to Verify

Check if Vulnerable:

Check if application uses Go's html/template package with untrusted input in CSS contexts and runs on Go <1.20.4 or <1.19.9

Check Version:

go version

Verify Fix Applied:

Verify Go version is 1.20.4+ or 1.19.9+ and application has been recompiled with updated version

📡 Detection & Monitoring

Log Indicators:

Unusual angle bracket patterns in CSS content
Multiple '/' characters in template output

Network Indicators:

Script tags or JavaScript in CSS contexts in HTTP responses

SIEM Query:

web_logs WHERE (url_contains 'css' OR content_type_contains 'css') AND (response_body_contains '<script>' OR response_body_contains 'javascript:')

📊 Metadata

CVE ID: CVE-2023-24539

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: May 11, 2023

Last Updated: January 24, 2025

🔗 References

https://go.dev/cl/491615 Patch
https://go.dev/issue/59720 Issue Tracking,Patch
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU Mailing List,Release Notes
https://pkg.go.dev/vuln/GO-2023-1751 Vendor Advisory
https://go.dev/cl/491615 Patch
https://go.dev/issue/59720 Issue Tracking,Patch
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU Mailing List,Release Notes
https://pkg.go.dev/vuln/GO-2023-1751 Vendor Advisory
https://security.netapp.com/advisory/ntap-20241129-0005/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24539, you might also want to check these: