Cross-site Scripting (XSS)
Description
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-23416: All versions of curly-bracket-parser fail to sanitize user input, enabling reflected XSS in template contexts.
Vulnerability
All versions of the package curly-bracket-parser are vulnerable to Cross-site Scripting (XSS). When used as a template library, it does not properly sanitize user input supplied to template variables, such as {{name}} [1][2][3].
Exploitation
An attacker can inject arbitrary JavaScript by providing a crafted value for a template variable, for example via a URL query parameter like ?name=. The parser processes the template and returns the unsanitized string to the browser, which then executes the injected script [2].
Impact
Successful exploitation leads to reflected XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser. This can result in session hijacking, defacement, or theft of sensitive data.
Mitigation
As of the publication date (July 2021), there is no fixed version available for curly-bracket-parser [2]. Users should avoid using the package in contexts where user input is processed, or manually sanitize output with a dedicated sanitization library.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
curly-bracket-parsernpm | <= 1.0.2 | — |
Affected products
3- curly-bracket-parser/curly-bracket-parserdescription
- Range: all versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rqf8-8c89-mw29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23416ghsaADVISORY
- github.com/magynhard/curly-bracket-parser/blob/master/src/curly-bracket-parser/curly-bracket-parser.jsghsaWEB
- github.com/magynhard/curly-bracket-parser/blob/master/src/curly-bracket-parser/curly-bracket-parser.js%23L31ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CURLYBRACKETPARSER-1297106ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.