CVE-2024-24785 Overview
CVE-2024-24785 is a template injection vulnerability affecting the Go programming language's html/template package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package. This allows subsequent actions to inject unexpected content into templates, potentially enabling Cross-Site Scripting (XSS) attacks.
Critical Impact
Attackers can bypass the contextual auto-escaping security mechanism in Go's html/template package by crafting malicious error messages from MarshalJSON methods, potentially leading to XSS attacks and content injection in web applications.
Affected Products
- Go programming language html/template package
- Applications using Go's html/template with custom MarshalJSON implementations
- NetApp products (per NetApp Security Advisory NTAP-20240329-0008)
Discovery Timeline
- 2024-03-05 - CVE-2024-24785 published to NVD
- 2024-03-08 - Public disclosure via Openwall OSS-Security Discussion
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-24785
Vulnerability Analysis
This vulnerability exists in Go's html/template package, which provides contextual auto-escaping to prevent XSS attacks when rendering HTML templates. The package is designed to automatically escape content based on the context where it appears (HTML, JavaScript, CSS, URL, etc.).
The flaw occurs when custom types implement the json.Marshaler interface via a MarshalJSON method. If this method returns an error containing user-controlled data, the error message can be crafted to break out of the auto-escaping context. This happens because error messages from JSON marshaling are processed in a way that doesn't properly sanitize embedded content before inclusion in template output.
An attacker who can influence the data passed to a MarshalJSON implementation can craft payloads that, when triggering an error, will bypass the template's safety mechanisms and inject arbitrary content.
Root Cause
The root cause lies in how the html/template package handles error messages returned from MarshalJSON methods during template execution. When JSON marshaling fails, the error message is incorporated into the template processing flow without adequate escaping. If the error message contains user-controlled data, this creates a path for injection attacks that circumvents the package's contextual auto-escaping design.
The vulnerability specifically affects the boundary between JSON serialization errors and HTML template rendering, where trust assumptions about error content are violated.
Attack Vector
The attack is network-accessible and requires the following conditions:
- The target application uses Go's html/template package
- The application processes user-controlled data through a custom type with a MarshalJSON method
- The MarshalJSON method can produce error messages that include user-provided input
- These errors are processed during template execution
An attacker provides specially crafted input that causes the MarshalJSON method to fail with an error message containing malicious content. This content then bypasses the auto-escaping mechanism, allowing injection of arbitrary HTML or JavaScript into the rendered template output.
For technical implementation details, see the Go.dev Issue Tracker Entry and the Go.dev Code Change Notice which contains the fix.
Detection Methods for CVE-2024-24785
Indicators of Compromise
- Unusual error messages in application logs containing HTML or JavaScript code fragments
- Template rendering errors that include unexpected special characters (<, >, ", ')
- Web application responses containing unescaped user input in HTML context
- Reports of XSS attacks originating from template-rendered pages
Detection Strategies
- Audit Go applications for custom MarshalJSON implementations that may include user input in error messages
- Review template rendering code paths for potential error handling that exposes marshaling failures
- Implement Content Security Policy (CSP) headers to detect and mitigate successful XSS exploitation
- Use static analysis tools to identify vulnerable patterns in Go codebases
Monitoring Recommendations
- Monitor web application firewall (WAF) logs for XSS attack patterns in request parameters
- Enable detailed logging for template rendering errors in Go applications
- Track security advisories from Go and downstream vendors for patch availability
- Monitor the Go.dev Vulnerability Report GO-2024-2610 for updates
How to Mitigate CVE-2024-24785
Immediate Actions Required
- Update Go to the latest patched version that addresses CVE-2024-24785
- Review all custom MarshalJSON implementations to ensure error messages do not include user-controlled data
- Implement input validation before data reaches MarshalJSON methods
- Deploy Content Security Policy headers as a defense-in-depth measure
Patch Information
The Go team has released a fix for this vulnerability. The patch is available via the Go.dev Code Change Notice. Organizations should update their Go installations and rebuild affected applications. NetApp customers should refer to the NetApp Security Advisory NTAP-20240329-0008 for product-specific guidance.
For detailed vulnerability information, consult the Golang Announcement on Security.
Workarounds
- Sanitize or remove user-controlled data from custom MarshalJSON error messages
- Implement wrapper functions that catch and sanitize marshaling errors before template processing
- Use the text/template package for non-HTML content where contextual escaping is not required
- Add explicit output encoding as an additional layer of protection around template rendering
# Check Go version and update
go version
# Update to latest Go version
go install golang.org/dl/go1.22@latest
# Rebuild affected applications after updating Go
go build -a ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
