CVE-2023-24540
📋 TL;DR
This CVE describes a template injection vulnerability in Go's text/template and html/template packages where certain Unicode whitespace characters aren't properly sanitized in JavaScript contexts. Attackers can exploit this to execute arbitrary JavaScript code in applications using these template packages. All Go applications using these template packages with user-controlled input are affected.
💻 Affected Systems
- Go programming language
- Applications using Go's text/template or html/template packages
📦 What is this software?
Go by Golang
Go by Golang
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or service disruption.
Likely Case
Cross-site scripting (XSS) attacks allowing session hijacking, credential theft, or client-side attacks.
If Mitigated
Limited impact if input validation and output encoding are properly implemented alongside the patch.
🎯 Exploit Status
Exploitation requires user input containing specific Unicode whitespace characters in template contexts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.20.4 and 1.19.9
Vendor Advisory: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
Restart Required: Yes
Instructions:
1. Identify all Go applications in your environment
2. Check Go version with 'go version'
3. Update to Go 1.20.4 or 1.19.9 using your package manager
4. Recompile all applications with the updated Go version
5. Restart all affected services
🔧 Temporary Workarounds
Input Validation Filter
allFilter out Unicode whitespace characters from user input before template processing
// Go code to filter Unicode whitespace
func sanitizeInput(input string) string {
return strings.Map(func(r rune) rune {
if unicode.IsSpace(r) && !strings.ContainsRune("\t\n\f\r \u2028\u2029", r) {
return -1
}
return r
}, input)
}
🧯 If You Can't Patch
- Implement strict input validation to reject or sanitize Unicode whitespace characters in template inputs
- Use Content Security Policy (CSP) headers to mitigate potential XSS impact
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version' and verify it's below 1.20.4 or 1.19.9Check Version:
go versionVerify Fix Applied:
Confirm Go version is 1.20.4 or higher, or 1.19.9 or higher, and recompile applications📡 Detection & Monitoring
Log Indicators:
- Unusual template processing errors
- JavaScript execution errors in logs
- Requests containing Unicode whitespace characters in template parameters
Network Indicators:
- HTTP requests with unusual Unicode characters in parameters
- Unexpected JavaScript execution in responses
SIEM Query:
source="web_logs" AND (url="*%E2%80%88*" OR url="*%E2%80%89*" OR url="*%E2%80%8A*" OR url="*%E2%80%8B*")🔗 References
- https://go.dev/cl/491616
- https://go.dev/issue/59721
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1752
- https://go.dev/cl/491616
- https://go.dev/issue/59721
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1752
- https://security.netapp.com/advisory/ntap-20241115-0008/
