Server-side Request Forgery (SSRF)
Description
Unescaped user input in osm-static-maps allows XSS, SSRF, and local file read via template injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unescaped user input in osm-static-maps allows XSS, SSRF, and local file read via template injection.
Root
Cause
The vulnerability in osm-static-maps arises from the use of unescaped triple mustache syntax ({{{ ... }}}) in its templates. User-supplied parameters are passed directly into the template without any sanitization, allowing an attacker to inject arbitrary HTML and JavaScript code [1]. This is a classic template injection flaw that bypasses the default escaping provided by Handlebars-style templates.
Exploitation
An attacker can exploit this by crafting malicious input that is inserted into the template. Depending on the context in which the template is rendered, the impact varies. If the output is served as an HTML page to a browser, the injected script executes in the victim's session, leading to Cross-Site Scripting (XSS). If the template is rendered server-side using Puppeteer (e.g., for generating static maps), the same injection can be used to perform Server-Side Request Forgery (SSRF) or read local files from the server's filesystem [1][4].
Impact
Successful exploitation can result in: - XSS: Execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or defacement. - SSRF: The server can be coerced into making requests to internal or external resources, potentially exposing sensitive services or enabling further attacks. - Local File Read: The attacker can read arbitrary files from the server, such as configuration files or application source code, by leveraging Puppeteer's file access capabilities [1][4].
Mitigation
The issue was addressed in version 3.9.0 of osm-static-maps. The fix introduces a sanitize function that HTML-escapes special characters (&, <, >, ", ') in all user-supplied parameters before they are inserted into the template [2][3]. Users are strongly advised to upgrade to version 3.9.0 or later. No workarounds are available for earlier versions [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
osm-static-mapsnpm | < 3.9.0 | 3.9.0 |
Affected products
2- osm-static-maps/osm-static-mapsdescription
Patches
197355d29e087fix: escape special characters before insertion to template
1 file changed · +25 −6
src/server.js+25 −6 modified@@ -19,6 +19,23 @@ app.use((req, res, next) => { next(); }); + +function htmlEscape(text) { + return text.replace(/&/g, '&'). + replace(/</g, '<'). + replace(/"/g, '"'). + replace(/'/g, '''); +} + + +function sanitize(params) { + result = {} + for (let [key, value] of Object.entries(params)) { + result[key] = htmlEscape(value) + } + return result; +} + app.get("/health", (req, res) => res.sendStatus(200)); const handler = (res, params) => { @@ -40,12 +57,14 @@ const handler = (res, params) => { app.get("/", (req, res) => handler(res, req.query)); app.post("/", (req, res) => handler(res, req.body)); -app.get("/dynamic", (req, res) => - handler(res, { ...req.query, renderToHtml: true }) -); +app.get("/dynamic", (req, res) => { + var sanitized = sanitize(req.query) + handler(res, { ...sanitized, renderToHtml: true }) +}) -app.post("/dynamic", (req, res) => - handler(res, { ...req.body, renderToHtml: true }) -); +app.post("/dynamic", (req, res) => { + var sanitized = sanitize(req.body) + handler(res, { ...sanitized, renderToHtml: true }) +}) module.exports = http.createServer(app);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-pxcf-v868-m492ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7749ghsaADVISORY
- github.com/jperelli/osm-static-maps/blob/master/src/template.html%23L142ghsax_refsource_MISCWEB
- github.com/jperelli/osm-static-maps/commit/97355d29e08753d1cfe99b1281dbaa06f4e651b0ghsaWEB
- github.com/jperelli/osm-static-maps/pull/24ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-OSMSTATICMAPS-609637ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.