Nunjucks autoescape bypass leads to cross site scripting
Description
In Nunjucks versions prior to 3.2.4, a bypass of autoescape allowed cross-site scripting via backslashes when two user parameters appear on the same line.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Nunjucks versions prior to 3.2.4, a bypass of autoescape allowed cross-site scripting via backslashes when two user parameters appear on the same line.
In Nunjucks template engine versions before 3.2.4, the autoescape feature could be bypassed under specific conditions. If two user-controlled parameters were placed on the same line in a template view, an attacker could inject cross-site scripting (XSS) payloads using the backslash character [1]. The root cause was that backslashes were not HTML-encoded by the escape filter or autoescape, allowing them to break out of the escaping context [2].
To exploit this vulnerability, an attacker needs to control two parameters that are rendered on the same line in a template. By inserting a backslash, the attacker can escape the intended quotation marks or HTML entities, leading to injection of malicious JavaScript. No special network access is required beyond the ability to supply user input to the template [1].
Successful exploitation can result in reflected or stored XSS, depending on how the template is used. An attacker could execute arbitrary scripts in the victim's browser, potentially leading to session hijacking, data theft, or other malicious actions [1].
The issue is fixed in Nunjucks version 3.2.4. The fix adds the backslash character to the HTML encoding mapping and regular expression, ensuring backslashes are properly escaped as \ [2][4]. Users are advised to upgrade to version 3.2.4 or later to mitigate the vulnerability [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nunjucksnpm | < 3.2.4 | 3.2.4 |
Affected products
2- Range: 0
Patches
1ec16d210e7e1fix: html encode backslashes if used with escape filter or autoescape (#1437)
4 files changed · +23 −5
CHANGELOG.md+7 −0 modified@@ -1,6 +1,13 @@ Changelog ========= +3.2.4 (unreleased) +------------------ + +* HTML encode backslashes when expressions are passed through the escape + filter (including when this is done automatically with autoescape). Merge + of [#1427](https://github.com/mozilla/nunjucks/pull/1427). + 3.2.3 (Feb 15 2021) -------------------
nunjucks/src/lib.js+3 −2 modified@@ -8,10 +8,11 @@ var escapeMap = { '"': '"', '\'': ''', '<': '<', - '>': '>' + '>': '>', + '\\': '\', }; -var escapeRegex = /[&"'<>]/g; +var escapeRegex = /[&"'<>\\]/g; var exports = module.exports = {};
tests/compiler.js+11 −1 modified@@ -1976,6 +1976,16 @@ finish(done); }); + it('should autoescape backslashes', function(done) { + equal( + '{{ foo }}', + { foo: 'foo \\\' bar' }, + { autoescape: true }, + 'foo \' bar'); + + finish(done); + }); + it('should not autoescape when extension set false', function(done) { function TestExtension() { // jshint validthis: true @@ -2031,7 +2041,7 @@ }); it('should render regexs', function(done) { - equal('{{ r/name [0-9] \\// }}', + equal('{{ r/name [0-9] \\// }}', {}, { autoescape: false }, '/name [0-9] \\//'); equal('{{ r/x/gi }}',
tests/filters.js+2 −2 modified@@ -108,9 +108,9 @@ it('escape', function() { equal( - '{{ "<html>" | escape }}', {}, + '{{ "<html>\\\\" | escape }}', {}, { autoescape: false }, - '<html>'); + '<html>\'); }); it('escape skip safe', function() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-x77j-w7wf-fjmwghsaADVISORY
- github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmwghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-2142ghsaADVISORY
- bugzilla.mozilla.org/show_bug.cgighsaissue-trackingWEB
- github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6ghsaWEB
- github.com/mozilla/nunjucks/pull/1437ghsaWEB
- github.com/mozilla/nunjucks/releases/tag/v3.2.4ghsaWEB
News mentions
0No linked articles in our index yet.