CVE-2023-24538 Overview
CVE-2023-24538 is a critical code injection vulnerability affecting the Go programming language's html/template and text/template packages. The vulnerability stems from improper handling of backtick characters (`) which are used as JavaScript string delimiters in ES6 template literals. When a Go template contains an action within a JavaScript template literal, attackers can exploit this flaw to terminate the literal prematurely and inject arbitrary JavaScript code.
Critical Impact
This vulnerability allows remote attackers to inject arbitrary JavaScript code into web applications built with Go templates, potentially leading to complete compromise of user sessions, data theft, and full application takeover through Cross-Site Scripting (XSS) attacks.
Affected Products
- Golang Go (versions prior to the security patch)
- Applications using Go's html/template or text/template packages with JavaScript template literals
- Web applications that dynamically generate JavaScript code using Go templates
Discovery Timeline
- 2023-04-06 - CVE-2023-24538 published to NVD
- 2025-02-12 - Last updated in NVD database
Technical Details for CVE-2023-24538
Vulnerability Analysis
This vulnerability exists in Go's template engine, which fails to recognize backticks as JavaScript string delimiters. Since the introduction of ES6, backticks have been used for template literals in JavaScript, allowing for multi-line strings and string interpolation. The Go template engine's escaping mechanism does not account for this syntax, creating a dangerous security gap.
When a Go template action (denoted by {{.}}) is placed within a JavaScript template literal, the action's output is not properly escaped. This allows an attacker to craft input containing backticks that terminate the JavaScript template literal, followed by arbitrary JavaScript code that will be executed in the victim's browser context.
The complexity of ES6 template literals, which themselves support string interpolation via ${expression} syntax, made implementing safe escaping impractical. The Go team's solution was to disallow Go template actions entirely within JavaScript template literals, following the same approach taken by github.com/google/safehtml.
Root Cause
The root cause is an incomplete escaping implementation in Go's template packages. The html/template package was designed to automatically escape content based on the surrounding context (HTML, JavaScript, CSS, etc.), but it failed to account for the ES6 backtick syntax introduced in modern JavaScript. This oversight means that while single and double quotes were properly escaped within JavaScript contexts, backticks were not recognized as string delimiters requiring special handling.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying a Go-based web application that uses templates to generate JavaScript code
- Injecting user-controlled data that contains backticks followed by malicious JavaScript
- When the template is rendered, the backtick terminates the JavaScript template literal
- The subsequent attacker-controlled content is interpreted as executable JavaScript
The vulnerability is particularly dangerous because the injected JavaScript code executes in the context of the victim's browser session, providing access to cookies, session tokens, and the ability to perform actions on behalf of the authenticated user.
Detection Methods for CVE-2023-24538
Indicators of Compromise
- Unexpected JavaScript syntax errors in server-generated pages containing Go template actions
- Detection of backtick characters in user input being reflected in JavaScript contexts
- Web application firewall logs showing attempts to inject backtick characters followed by JavaScript code
- Anomalous client-side JavaScript execution patterns in browser security monitoring
Detection Strategies
- Scan Go application source code for patterns like var a = {{.}} within JavaScript template literal contexts
- Implement Content Security Policy (CSP) headers to detect and report inline script injection attempts
- Deploy web application firewalls with rules to detect JavaScript injection patterns containing backticks
- Monitor application logs for template parsing errors with ErrorCode 12 (introduced in the fix)
Monitoring Recommendations
- Enable verbose logging for template parsing operations to capture error codes
- Implement client-side JavaScript error monitoring to detect unexpected syntax errors
- Configure security information and event management (SIEM) rules to alert on potential XSS patterns
- Regularly audit application code for unsafe template patterns using static analysis tools
How to Mitigate CVE-2023-24538
Immediate Actions Required
- Upgrade Go to version 1.19.8, 1.20.3, or later which contain the security fix
- Audit all Go templates for patterns that place template actions within JavaScript template literals
- Implement input validation to sanitize user-controlled data before template rendering
- Deploy Content Security Policy headers to mitigate the impact of any successful injection
Patch Information
The Go team has released patches addressing this vulnerability. With the fix applied, Template.Parse returns an error when it encounters templates containing Go actions within JavaScript template literals. The error includes an ErrorCode of value 12, which is exported starting with Go 1.21.
For detailed patch information, see the Go.dev Code Review and the Go.dev Vulnerability Report. Additional vendor advisories are available from Gentoo GLSA 202311-09 and NetApp Security Advisory.
Workarounds
- Use the GODEBUG flag jstmpllitinterp=1 to re-enable the previous behavior with backticks now being escaped (use with caution as noted in the advisory)
- Refactor templates to avoid placing Go template actions within JavaScript template literals entirely
- Move dynamic data injection from inline JavaScript to data attributes or JSON endpoints
- Implement strict output encoding for all user-controlled data rendered in JavaScript contexts
If upgrading is not immediately possible, the recommended approach is to restructure templates to separate Go template actions from JavaScript template literals entirely. For example, instead of embedding template actions directly in JavaScript, pass data through HTML data attributes and access them via JavaScript DOM methods.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
