Errors returned from JSON marshaling may break template escaping in html/template

GO-2024-2610 · BIT-golang-2024-24785 · CVE-2024-24785

Published Mar 5, 2024 · Modified Feb 4, 2026

Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

References

REPORT https://go.dev/issue/65697
FIX https://go.dev/cl/564196
WEB https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes