Affected versions of nunjucks do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.

Proof of Concept

By using an array for the keys in a template var, escaping is bypassed.

name[]=<script>alert(1)</script>

A full PoC is available in the references section.

Recommendation

Update to version 2.4.3 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10547
• mozilla/nunjucks#835
• GHSA-f7ph-p5rv-phw2
• https://github.com/matt-/nunjucks_test
• https://www.npmjs.com/advisories/147