Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12aDIyLTZjNmgtcm04cc4ABDOu
jte's HTML templates containing Javascript template strings are subject to XSS
Summary
Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks) are subject to XSS.
Details
The javaScriptBlock and javaScriptAttribute methods in the Escape class (source) do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation.
PoC
- Use the Jte Gradle Plugin with the following code in
src/jte/xss.jte:@param String someMessage <!DOCTYPE html> <html lang="en"> <head> <title>XSS Test</title> <script>window.someVariable = `${someMessage}`;</script> </head> <body> <h1>XSS Test</h1> </body> </html> - Use the following Java code to demonstrate the XSS vulnerability:
final StringOutput output = new StringOutput(); JtexssGenerated.render(new OwaspHtmlTemplateOutput(output), null, "` + alert(`xss`) + `"); renderHtml(output);
Impact
HTML templates rendered by Jte's OwaspHtmlTemplateOutput in versions less than or equal to 3.1.15 with script tags or script attributes that contain Javascript template strings (backticks) are vulnerable.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12aDIyLTZjNmgtcm04cc4ABDOu
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 days ago
Updated: 4 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17569
Identifiers: GHSA-vh22-6c6h-rm8q, CVE-2025-23026
References:
- https://github.com/casid/jte/security/advisories/GHSA-vh22-6c6h-rm8q
- https://github.com/casid/jte/commit/a6fb00d53c7b8dbb86de933215dbe1b9191a57f1
- https://nvd.nist.gov/vuln/detail/CVE-2025-23026
- https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description
- https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83
- https://github.com/advisories/GHSA-vh22-6c6h-rm8q
Blast Radius: 12.9
Affected Packages
maven:gg.jte:jte-runtime
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 3.1.15
Fixed in: 3.1.16
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15
All unaffected versions:
maven:gg.jte:jte
Dependent packages: 19Dependent repositories: 130
Downloads:
Affected Version Ranges: <= 3.1.15
Fixed in: 3.1.16
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.12.0, 1.12.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15
All unaffected versions: