Content Injection
Description
This affects the package Crow before 0.3+4. When using attributes without quotes in the template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting (XSS) vulnerability, assuming an attacker can influence the value entered into the template. If the template is used to render user-generated content, this vulnerability may escalate to a persistent XSS vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crow template rendering before 0.3+4 is vulnerable to content injection, enabling XSS when unquoted template attributes process user input.
Vulnerability
Content injection vulnerability in Crow microframework versions before 0.3+4 [1]. The flaw resides in the Mustache template rendering engine when processing attributes without quotes. If a template like `` is used, an attacker who can influence the value of the template variable can inject arbitrary HTML attributes. Specifically, the template engine does not escape certain characters, allowing attribute injection [2]. The affected versions are all releases prior to the fix in v0.3+4 [3].
Exploitation
An attacker needs the ability to control a template variable that is rendered into an unquoted attribute. In the provided proof of concept, a GET parameter src is passed directly into the template context without sanitization [1]. The attacker crafts a payload such as src=x%20onerror%3Dalert(1), which, when rendered, becomes ``. No authentication or special privileges are required; the attack is performed over HTTP by supplying the malicious input to a route that uses the vulnerable template [1].
Impact
Successful exploitation results in Cross-site Scripting (XSS) [1]. The injected code executes in the context of the victim's browser, allowing the attacker to steal cookies, session tokens, or perform actions on behalf of the user. If the vulnerable template renders user-generated content (e.g., comments, profiles), the XSS can become persistent, affecting all visitors to that page [1].
Mitigation
Upgrade to Crow version 0.3+4 or later, which includes the fix merged in pull request #317 [2][3]. This version sanitizes filenames and escapes template output to prevent attribute injection [2]. No workarounds are documented for earlier versions. The fix was released on 12 January 2022 [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Crow/Crowdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/CrowCpp/Crow/pull/317mitrex_refsource_MISC
- github.com/CrowCpp/Crow/releases/tag/v0.3%2B4mitrex_refsource_MISC
- snyk.io/vuln/SNYK-UNMANAGED-CROW-2336164mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.