Nunjucks is a full featured templating engine for JavaScript. Versions 2.4.2 and lower have a cross site scripting (XSS) vulnerability in autoescape mode. In autoescape mode, all template vars should automatically be escaped. By using an array for the keys, such as `name[]=<script>alert(1)</script>`, it is possible to bypass autoescaping and inject content into the DOM.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| nunjucks(npm) | 0 | 2.4.3 | N/A |
CVSS Metrics
