Headline
GHSA-xrh7-m5pp-39r6: XSS Attack with Express API
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don’t pass user supplied data directly to res.renderFile.
References
Are there any links users can visit to find out more? See https://github.com/eta-dev/eta/releases/tag/v2.0.0
Package
npm eta (npm)
Affected versions
< 2.0.0
Patched versions
2.0.0
Description
Impact
XSS attack - anyone using the Express API is impacted
Patches
The problem has been resolved. Users should upgrade to version 2.0.0.
Workarounds
Don’t pass user supplied data directly to res.renderFile.
References
Are there any links users can visit to find out more?
See https://github.com/eta-dev/eta/releases/tag/v2.0.0
References
- GHSA-xrh7-m5pp-39r6
- eta-dev/eta@5651392
Last updated
Jan 31, 2023
Reviewed
Jan 31, 2023
Published to the GitHub Advisory Database
Jan 31, 2023
nebrelbug published to eta-dev/eta
Jan 28, 2023
Related news
Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to `res.render`.