CVE-2024-22199 – CVE-2024-22199 is a cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2024-22199?

CVE-2024-22199 has a CVSS score of 9.3 (CRITICAL). CVE-2024-22199 is a cross-site scripting (XSS) vulnerability in the gofiber/template package that allows attackers to execute malicious scripts in users' browsers when applications render user-supplied data through the template engine. This affects web applications built with the Fiber framework using the Views interface. The vulnerability has been addressed by enabling autoescape by default in the template engine.

📋 TL;DR

CVE-2024-22199 is a cross-site scripting (XSS) vulnerability in the gofiber/template package that allows attackers to execute malicious scripts in users' browsers when applications render user-supplied data through the template engine. This affects web applications built with the Fiber framework using the Views interface. The vulnerability has been addressed by enabling autoescape by default in the template engine.

💻 Affected Systems

Products:

gofiber/template package

Versions: Versions before commit 28cff3ac4d4c117ab25b5396954676d624b6cb46

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the Views interface with user-supplied data in templates. The vulnerability was present when autoescape was set to false.

📦 What is this software?

Django by Gofiber

View all CVEs affecting Django →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal user session cookies, credentials, or sensitive data, perform actions on behalf of authenticated users, and potentially compromise entire user accounts.

🟠

Likely Case

Attackers inject malicious JavaScript that runs in victims' browsers, leading to session hijacking, credential theft, or defacement of web pages.

🟢

If Mitigated

With proper input validation and output encoding, the risk is minimal as user-supplied data is properly sanitized before rendering.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited and weaponized quickly. The advisory suggests active exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 28cff3ac4d4c117ab25b5396954676d624b6cb46 or later

Vendor Advisory: https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6

Restart Required: Yes

Instructions:

1. Update gofiber/template to latest version. 2. Ensure autoescape is enabled (now default). 3. Restart the application.

🔧 Temporary Workarounds

Enable Autoescape Manually

all

Manually set autoescape to true in template configuration if unable to update immediately.

engine := html.New("./views", ".html")
engine.Reload(true)
engine.Debug(true)
engine.Autoescape(true)

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-supplied data before template rendering.
Use Content Security Policy (CSP) headers to restrict script execution and mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check if using gofiber/template before commit 28cff3ac4d4c117ab25b5396954676d624b6cb46 and if autoescape is disabled in configuration.

Check Version:

go list -m github.com/gofiber/template

Verify Fix Applied:

Verify the package version is updated and autoescape is set to true in the template engine configuration.

📡 Detection & Monitoring

Log Indicators:

Unusual template rendering errors
Suspicious user input patterns in logs
Unexpected JavaScript execution in browser logs

Network Indicators:

Malicious script payloads in HTTP requests
Unexpected outbound connections from user browsers to attacker-controlled domains

SIEM Query:

source="web_logs" AND (message="*<script>*" OR message="*javascript:*") AND status=200

📊 Metadata

CVE ID: CVE-2024-22199

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

CWE: CWE-20

Published: January 11, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46 Patch
https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6 Mitigation,Vendor Advisory
https://github.com/gofiber/template/commit/28cff3ac4d4c117ab25b5396954676d624b6cb46 Patch
https://github.com/gofiber/template/security/advisories/GHSA-4mq2-gc4j-cmw6 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22199, you might also want to check these: