Medium severity6.1NVD Advisory· Published Jan 13, 2025· Updated Apr 15, 2026
CVE-2025-23026
CVE-2025-23026
Description
jte (Java Template Engine) is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks) are subject to XSS. The javaScriptBlock and javaScriptAttribute methods in the Escape class do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation. HTML templates rendered by Jte's OwaspHtmlTemplateOutput in versions less than or equal to 3.1.15 with script tags or script attributes that contain Javascript template strings (backticks) are vulnerable. Users are advised to upgrade to version 3.1.16 or later to resolve this issue. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gg.jte:jteMaven | < 3.1.16 | 3.1.16 |
gg.jte:jte-runtimeMaven | < 3.1.16 | 3.1.16 |
Patches
2d50dce8119b7https://github.com/casid/jtevia osv
2 files changed · +86 −0
jte-runtime/src/main/java/gg/jte/html/escape/Escape.java+4 −0 modified@@ -49,6 +49,8 @@ public static void javaScriptBlock(String value, TemplateOutput output) { switch (c) { case '\'' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\'", output); case '"' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\"", output); + case '`' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\`", output); + case '$' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\$", output); case '/' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\/", output); case '-' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\-", output); case '\\' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\\", output); @@ -73,6 +75,8 @@ public static void javaScriptAttribute(String value, TemplateOutput output) { switch (c) { case '\'' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x27", output); case '"' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x22", output); + case '`' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x60", output); + case '$' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x24", output); case '\\' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\\", output); case '\n' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\n", output); case '\t' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\t", output);
jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java+82 −0 modified@@ -1313,6 +1313,88 @@ void invalidAttribute_semicolon() { assertThat(throwable).isInstanceOf(TemplateException.class).hasMessage("Failed to compile template.jte, error at line 1: Invalid HTML attribute name ;!"); } + @Test + void templateStringInJavaScriptBlock_backtick() { + codeResolver.givenCode("template.jte", """ + @param String someMessage + <!DOCTYPE html> + <html lang="en"> + <head> + <title>XSS Test</title> + <script>window.someVariable = `${someMessage}`;</script> + </head> + <body> + <h1>XSS Test</h1> + </body> + </html> + """); + + templateEngine.render("template.jte", "` + alert(`xss`) + `", output); + + assertThat(output.toString()).isEqualTo(""" + <!DOCTYPE html> + <html lang="en"> + <head> + <title>XSS Test</title> + <script>window.someVariable = `\\` + alert(\\`xss\\`) + \\``;</script> + </head> + <body> + <h1>XSS Test</h1> + </body> + </html> + """); + } + + @Test + void templateStringInJavaScriptBlock_dollar() { + codeResolver.givenCode("template.jte", """ + @param String someMessage + <!DOCTYPE html> + <html lang="en"> + <head> + <title>XSS Test</title> + <script>window.someVariable = `${someMessage}`;</script> + </head> + <body> + <h1>XSS Test</h1> + </body> + </html> + """); + + templateEngine.render("template.jte", "${secret}", output); + + assertThat(output.toString()).isEqualTo(""" + <!DOCTYPE html> + <html lang="en"> + <head> + <title>XSS Test</title> + <script>window.someVariable = `\\${secret}`;</script> + </head> + <body> + <h1>XSS Test</h1> + </body> + </html> + """); + } + + @Test + void templateStringInJavaScriptAttribute_backtick() { + codeResolver.givenCode("template.jte", "@param String p\n<span onClick=\"console.log(`${p}`)\">foo</span>"); + + templateEngine.render("template.jte", "` + alert(`xss`) + `", output); + + assertThat(output.toString()).isEqualTo("<span onClick=\"console.log(`\\x60 + alert(\\x60xss\\x60) + \\x60`)\">foo</span>"); + } + + @Test + void templateStringInJavaScriptAttribute_dollar() { + codeResolver.givenCode("template.jte", "@param String p\n<span onClick=\"console.log(`${p}`)\">foo</span>"); + + templateEngine.render("template.jte", "${secret}", output); + + assertThat(output.toString()).isEqualTo("<span onClick=\"console.log(`\\x24{secret}`)\">foo</span>"); + } + @Test void localization_notFound_noParams() { codeResolver.givenCode("template.jte", """
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vh22-6c6h-rm8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-23026ghsaADVISORY
- developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literalsnvdWEB
- github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.javanvdWEB
- github.com/casid/jte/commit/a6fb00d53c7b8dbb86de933215dbe1b9191a57f1ghsaWEB
- github.com/casid/jte/security/advisories/GHSA-vh22-6c6h-rm8qnvdWEB
News mentions
0No linked articles in our index yet.