CVE-2021-37634

LeafKit allows XSS with untrusted user input

CVSS 7.4 HIGHEPSS 0.7%CWE-79

In short

LeafKit's templating engine didn't escape user input in variable tags before version 1.3.0, allowing attackers to inject malicious scripts into web pages. If a website displays untrusted user data through LeafKit without proper sanitization, visitors could be tricked into running attacker-controlled code in their browsers.

Technical detail

Cross-site Scripting (XSS) vulnerability in LeafKit < 1.3.0 where variable tags fail to escape user-supplied input, enabling script injection into rendered HTML. Attack vector requires an application to pass unsanitized user data to Leaf templates; impact includes session hijacking, credential theft, and malware distribution if Content Security Policy is not enforced.

Summary generated and translated by AI from the official description.

Leafkit is a templating language with Swift-inspired syntax. Versions prior to 1.3.0 are susceptible to Cross-site Scripting (XSS) attacks. This affects anyone passing unsanitised data to Leaf's variable tags. Before this fix, Leaf would not escape any strings passed to tags as variables. If an attacker managed to find a variable that was rendered with their unsanitised data, they could inject scripts into a generated Leaf page, which could enable XSS attacks if other mitigations such as a Content Security Policy were not enabled. This has been patched in 1.3.0. As a workaround sanitize any untrusted input before passing it to Leaf and enable a CSP to block inline script and CSS data.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected products

vapor · leaf-kit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/leaf-kit-ghsa-rv3x-xq3r-8j9h/pull/1 https://github.com/vapor/leaf-kit/security/advisories/GHSA-rv3x-xq3r-8j9h