crossbow-lang@1.0.0 vulnerabilities

Shane Osbourne's fork of Linkedin's fork of Dustjs

latest version

1.0.0
first published

10 years ago
latest version published

10 years ago
licenses detected
- MIT
  >=0
View crossbow-lang package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the crossbow-lang package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Code Injection `crossbow-lang` is an unmaintaned fork of `dustjs-linkedin`, a Javascript templating engine designed to run asynchronously on both the server and the browser. It is vulnerable to the same Code Injection vulnerability as Dust.js Dust.js uses Javascript's `eval()` function to evaluate the "if" statement conditions. The input to the function is sanitized by escaping all potentially dangerous characters. However, if the variable passed in is an array, no escaping is applied, exposing an easy path to code injection. The risk of exploit is especially high given the fact `express`, `koa` and many other Node.js servers allow users to force a query parameter to be an array using the `param[]=value` notation. How to fix Code Injection? Latest release (`v1.0.0`) is vulnerable, so we suggest to avoid using it altogether, until a patch is made available.	*

Code Injection

crossbow-lang is an unmaintaned fork of dustjs-linkedin, a Javascript templating engine designed to run asynchronously on both the server and the browser. It is vulnerable to the same Code Injection vulnerability as Dust.js

Dust.js uses Javascript's eval() function to evaluate the "if" statement conditions. The input to the function is sanitized by escaping all potentially dangerous characters.

However, if the variable passed in is an array, no escaping is applied, exposing an easy path to code injection. The risk of exploit is especially high given the fact express, koa and many other Node.js servers allow users to force a query parameter to be an array using the param[]=value notation.

How to fix Code Injection?

Latest release (v1.0.0) is vulnerable, so we suggest to avoid using it altogether, until a patch is made available.

Go back to all versions of this package

crossbow-lang@1.0.0 vulnerabilities

Shane Osbourne's fork of Linkedin's fork of Dustjs

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities