CVE-2023-24538

Name of the Vulnerable Software and Affected Versions Go versions prior to 1.21

Description The issue is related to the improper handling of backticks (`) as Javascript string delimiters in templates, which can lead to the injection of arbitrary Javascript code into the Go template. This occurs when a Go template action is used within a Javascript template literal. The decision was made to disallow Go template actions from being used inside Javascript template literals due to the complexity of ES6 template literals and the potential for string interpolation. With the fix, Template.Parse returns an Error when it encounters templates like this.

Recommendations For versions prior to 1.21, users can re-enable the previous behavior using the GODEBUG flag jstmpllitinterp=1, but this should be used with caution as backticks will now be escaped. It is recommended to update to Go 1.21 or later to resolve the issue. As a temporary workaround, consider avoiding the use of Go template actions within Javascript template literals to minimize the risk of exploitation.