CVE-2023-29453
📋 TL;DR
CVE-2023-29453 is a critical template injection vulnerability in Go's html/template package that allows attackers to inject arbitrary JavaScript code when backticks are used in JavaScript template literals. This affects any Go application using html/template with user-controlled input in templates. The vulnerability enables cross-site scripting (XSS) attacks that can lead to session hijacking, account takeover, or malware delivery.
💻 Affected Systems
- Go programming language
- Zabbix monitoring system
- Any application using Go's html/template package
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full account compromise, data theft, complete system takeover via chained attacks, and persistent malware installation on user browsers.
Likely Case
Session hijacking, credential theft, unauthorized actions performed as authenticated users, and client-side data exfiltration.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires user input to reach vulnerable template rendering. The vulnerability is straightforward to exploit once the attack vector is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.20.6, Go 1.19.11, or later
Vendor Advisory: https://go.dev/issue/59234
Restart Required: Yes
Instructions:
1. Update Go to version 1.20.6 or 1.19.11 or later. 2. Recompile and redeploy all affected applications. 3. For Zabbix, update to version 6.0.23, 6.4.8, or 7.0.0alpha1 or later.
🔧 Temporary Workarounds
Enable GODEBUG flag for backward compatibility
allTemporarily re-enable the previous behavior with escaped backticks while planning permanent fix
export GODEBUG=jstmpllitinterp=1
Input validation and sanitization
allImplement strict input validation to reject or sanitize backticks in user-controlled template inputs
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Deploy web application firewall (WAF) rules to detect and block template injection attempts
🔍 How to Verify
Check if Vulnerable:
Check Go version with 'go version' and verify if application uses html/template with user input containing backticksCheck Version:
go versionVerify Fix Applied:
Verify Go version is 1.20.6/1.19.11 or later and test template rendering with backticks no longer executes JavaScript📡 Detection & Monitoring
Log Indicators:
- Unusual template parsing errors
- Increased 400/500 errors on template endpoints
- ErrorCode 12 in Go template parsing logs
Network Indicators:
- HTTP requests containing backticks in template parameters
- Unusual JavaScript payloads in request parameters
SIEM Query:
source="web_logs" AND (backtick OR `template` OR ErrorCode:12)