VYPR
`, it is possible to bypass autoescaping and inject content into the DOM.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10547"]},"keywords":"CVE-2016-10547, moderate, CWE-79, HackerOne nunjucks node module","mentions":[{"@type":"SoftwareApplication","name":"nunjucks node module","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"HackerOne"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2016-10547","item":"https://portal.vyprsec.ai/cves/CVE-2016-10547"}]}]}
← All advisories
Moderate severityNVD Advisory· Published May 31, 2018· Updated Sep 16, 2024

CVE-2016-10547

CVE-2016-10547

Description

Nunjucks template engine before 2.4.3 bypasses autoescaping when template variables are passed as arrays, allowing reflected XSS injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nunjucks template engine before 2.4.3 bypasses autoescaping when template variables are passed as arrays, allowing reflected XSS injection.

Vulnerability

A bypass of autoescape mode exists in Nunjucks versions 2.4.2 and earlier [1][3]. The suppressValue function in src/runtime.js only escapes template variables if they are of type string [2][4]. When a variable is passed as an array (e.g., via an HTTP query string using [] notation), the type check fails and the value is rendered unescaped, allowing cross-site scripting (XSS) injection [1][2].

Exploitation

An attacker can inject arbitrary HTML or JavaScript into a page by supplying a query parameter using array syntax, such as ?name[]= [2]. This works because frameworks like Express use qs or body-parser to parse query strings, which automatically produce arrays when [] is used [2][4]. The attacker needs no authentication; only the ability to craft a URL that a victim visits on a server using Nunjucks with autoescape enabled [2].

Impact

Successful exploitation results in reflected XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser within the context of the vulnerable application. This can lead to session hijacking, credential theft, defacement, or other client-side attacks [1].

Mitigation

Fix released in Nunjucks version 2.4.3 [3]. Upgrade to 2.4.3 or later immediately. No workaround is available if autoescape is required. If upgrading is not possible, ensure user input is not passed as an array to templates (e.g., by converting arrays to strings before rendering) [2][4]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. NVD - CVE-2016-10547
  2. GitHub - matt-/nunjucks_test: nunjucks template test
  3. CVE-2016-10547 - GitHub Advisory Database
  4. Bypass autoescape / XSS

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nunjucksnpm
< 2.4.32.4.3

Affected products

2
  • ghsa-coords
    pkg:npm/nunjucks
    Range: < 2.4.3
  • HackerOne/nunjucks node modulev5
    Range: <=2.4.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.