Affected versions of `nunjucks` do not properly escape specially structured user input in template vars when in auto-escape mode, resulting in a cross-site scripting vulnerability.

## Proof of Concept

By using an array for the keys in a template var, escaping is bypassed.
```javascript
name[]=<script>alert(1)</script>
```

A full PoC is available in the references section.

## Recommendation

Update to version 2.4.3 or later.

Affected Packages

npm nunjucks

Affected versions: 0 (fixed in 2.4.3)

Related CVEs

CVE-2016-10547

Key Information

GHSA ID

GHSA-f7ph-p5rv-phw2

Published

November 6, 2018 11:13 PM

Last Modified

August 31, 2020 6:12 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

nunjucks

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.