CVE-2021-37634: LeafKit allows XSS with untrusted user input

June 9, 2023

This affects anyone passing unsanitised data to Leaf’s variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled.

References

github.com/advisories/GHSA-rv3x-xq3r-8j9h
github.com/vapor/leaf-kit
github.com/vapor/leaf-kit/releases/tag/1.3.0
github.com/vapor/leaf-kit/security/advisories/GHSA-rv3x-xq3r-8j9h
nvd.nist.gov/vuln/detail/CVE-2021-37634

Detect and mitigate CVE-2021-37634 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →