CVE-2023-24540

CVE-2023-24540: Improper handling of JavaScript whitespace in html/template

Vendor Go Standard Library

Product html/template

Published May 11, 2023

Last update January 24, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Key dates

Disclosure timeline

May 11, 2023 CVE published

January 24, 2025 Record updated

Identifiers

CVE CVE-2023-24540

Affected versions

Vendor Go Standard Library

Product html/template

Affected < 1.19.9

Vendor Go Standard Library

Product html/template

Affected ≥ 1.20.0-0 and < 1.20.4