CWE-150
AllowedImproper Neutralization of Escape, Meta, or Control Sequences
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
114 vulnerabilities reference this CWE, most recent first.
GHSA-MMFW-G245-WGX2
Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2026-21521"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T23:15:57Z",
"severity": "HIGH"
},
"details": "Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-mmfw-g245-wgx2",
"modified": "2026-01-23T00:31:17Z",
"published": "2026-01-23T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21521"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21521"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P4VJ-7PQG-XHR6
Vulnerability from github – Published: 2026-07-08 15:32 – Updated: 2026-07-08 21:30App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.
When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.
A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.
{
"affected": [],
"aliases": [
"CVE-2026-49147"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T15:16:27Z",
"severity": "HIGH"
},
"details": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.\n\nWhen ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.\n\nA file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.",
"id": "GHSA-p4vj-7pqg-xhr6",
"modified": "2026-07-08T21:30:26Z",
"published": "2026-07-08T15:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49147"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/08/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PQ9P-PC3P-9HM4
Vulnerability from github – Published: 2024-12-27 03:31 – Updated: 2025-02-07 06:31A vulnerability was found in python-sql where unary operators do not escape non-Expression (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "python-sql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9774"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-27T18:02:41Z",
"nvd_published_at": "2024-12-27T02:15:07Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in python-sql where unary operators do not escape non-Expression (like `And` and `Or`) which makes any system exposing those vulnerable to an SQL injection attack.",
"id": "GHSA-pq9p-pc3p-9hm4",
"modified": "2025-02-07T06:31:14Z",
"published": "2024-12-27T03:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9774"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-9774"
},
{
"type": "WEB",
"url": "https://bugs.tryton.org/python-sql/93"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2332734"
},
{
"type": "WEB",
"url": "https://discuss.tryton.org/t/security-release-for-issue-93/7889"
},
{
"type": "WEB",
"url": "https://discuss.tryton.org/t/security-release-for-issue-93/7889/3"
},
{
"type": "WEB",
"url": "https://foss.heptapod.net/tryton/python-sql/-/commit/f20551bbb8b3b4c4dd0a2c3d36f377bff6f2f349"
},
{
"type": "PACKAGE",
"url": "https://github.com/tryton/python-sql"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00023.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "python-sql SQL injection vulnerability"
}
GHSA-PX7F-QJ7M-M4V6
Vulnerability from github – Published: 2024-03-27 21:30 – Updated: 2026-05-12 12:31wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
{
"affected": [],
"aliases": [
"CVE-2024-28085"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-27T19:15:48Z",
"severity": "LOW"
},
"details": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users\u0027 terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.",
"id": "GHSA-px7f-qj7m-m4v6",
"modified": "2026-05-12T12:31:36Z",
"published": "2024-03-27T21:30:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-xv2h-c6ww-mrjq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-202008.html"
},
{
"type": "WEB",
"url": "https://github.com/skyler-ferrante/CVE-2024-28085"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"
},
{
"type": "WEB",
"url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux"
},
{
"type": "WEB",
"url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240531-0003"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/03/27/5"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/35"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/27/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/27/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/27/7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/27/8"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/27/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/28/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/28/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/03/28/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2VW-H337-2GXM
Vulnerability from github – Published: 2025-02-28 03:30 – Updated: 2025-02-28 03:30IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters.
{
"affected": [],
"aliases": [
"CVE-2025-0975"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-28T03:15:10Z",
"severity": "HIGH"
},
"details": "IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters.",
"id": "GHSA-r2vw-h337-2gxm",
"modified": "2025-02-28T03:30:55Z",
"published": "2025-02-28T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0975"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7183467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R4GV-VJ59-CCCM
Vulnerability from github – Published: 2021-06-23 17:27 – Updated: 2021-05-21 18:06Impact
Control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action.
Patches
- Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0
For more information
If you have any questions or comments about this advisory: * Open an issue in go-ipfs * Email us at security@ipfs.io
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ipfs/go-ipfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26283"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T18:06:39Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nControl characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action.\n\n### Patches\n\u003c!-- _Has the problem been patched? What versions should users upgrade to?_ --\u003e\n\n- Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ipfs](http://github.com/ipfs/go-ipfs)\n* Email us at [security@ipfs.io](mailto:security@ipfs.io)",
"id": "GHSA-r4gv-vj59-cccm",
"modified": "2021-05-21T18:06:39Z",
"published": "2021-06-23T17:27:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26283"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/go-ipfs/pull/7831"
},
{
"type": "WEB",
"url": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Control character injection in console output in github.com/ipfs/go-ipfs "
}
GHSA-R95J-4JVF-MRRW
Vulnerability from github – Published: 2025-02-27 15:31 – Updated: 2025-02-27 17:16The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
This issue affects mongosh versions prior to 2.3.9.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mongosh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1693"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-27T17:16:09Z",
"nvd_published_at": "2025-02-27T13:15:11Z",
"severity": "LOW"
},
"details": "The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.\n\nThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\n\nThis issue affects mongosh versions prior to 2.3.9.",
"id": "GHSA-r95j-4jvf-mrrw",
"modified": "2025-02-27T17:16:09Z",
"published": "2025-02-27T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1693"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb-js/mongosh"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/MONGOSH-2026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "MongoDB Shell may be susceptible to control character Injection via shell output"
}
GHSA-RRV5-483W-XMR9
Vulnerability from github – Published: 2025-04-23 18:31 – Updated: 2025-04-24 00:31In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.
{
"affected": [],
"aliases": [
"CVE-2024-58251"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T18:16:03Z",
"severity": "LOW"
},
"details": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.",
"id": "GHSA-rrv5-483w-xmr9",
"modified": "2025-04-24T00:31:19Z",
"published": "2025-04-23T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251"
},
{
"type": "WEB",
"url": "https://bugs.busybox.net/show_bug.cgi?id=15922"
},
{
"type": "WEB",
"url": "https://www.busybox.net"
},
{
"type": "WEB",
"url": "https://www.busybox.net/downloads"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/04/23/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VFWW-5HM6-HX2J
Vulnerability from github – Published: 2025-10-27 18:31 – Updated: 2026-05-13 16:23Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.60"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.60"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0-M1"
},
{
"fixed": "10.1.45"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.109"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.60"
},
{
"last_affected": "8.5.100"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55754"
],
"database_specific": {
"cwe_ids": [
"CWE-150"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-28T17:57:42Z",
"nvd_published_at": "2025-10-27T18:15:42Z",
"severity": "LOW"
},
"details": "Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.",
"id": "GHSA-vfww-5hm6-hx2j",
"modified": "2026-05-13T16:23:31Z",
"published": "2025-10-27T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55754"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11"
},
{
"type": "WEB",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/27/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences"
}
GHSA-VH22-6C6H-RM8Q
Vulnerability from github – Published: 2025-01-13 16:57 – Updated: 2025-01-13 21:49Summary
Jte HTML templates with script tags or script attributes that include a Javascript template string (backticks) are subject to XSS.
Details
The javaScriptBlock and javaScriptAttribute methods in the Escape class (source) do not escape backticks, which are used for Javascript template strings. Dollar signs in template strings should also be escaped as well to prevent undesired interpolation.
PoC
- Use the Jte Gradle Plugin with the following code in
src/jte/xss.jte:html @param String someMessage <!DOCTYPE html> <html lang="en"> <head> <title>XSS Test</title> <script>window.someVariable = `${someMessage}`;</script> </head> <body> <h1>XSS Test</h1> </body> </html> - Use the following Java code to demonstrate the XSS vulnerability:
java final StringOutput output = new StringOutput(); JtexssGenerated.render(new OwaspHtmlTemplateOutput(output), null, "` + alert(`xss`) + `"); renderHtml(output);
Impact
HTML templates rendered by Jte's OwaspHtmlTemplateOutput in versions less than or equal to 3.1.15 with script tags or script attributes that contain Javascript template strings (backticks) are vulnerable.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "gg.jte:jte"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.15"
},
"package": {
"ecosystem": "Maven",
"name": "gg.jte:jte-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23026"
],
"database_specific": {
"cwe_ids": [
"CWE-150",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:57:59Z",
"nvd_published_at": "2025-01-13T20:15:30Z",
"severity": "MODERATE"
},
"details": "### Summary\nJte HTML templates with `script` tags or script attributes that include a Javascript template string (backticks) are subject to XSS.\n\n### Details\nThe `javaScriptBlock` and `javaScriptAttribute` methods in the `Escape` class ([source](https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83)) do not escape backticks, which are used for Javascript [template strings](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description). Dollar signs in template strings should also be escaped as well to prevent undesired interpolation.\n\n### PoC\n1. Use the [Jte Gradle Plugin](https://jte.gg/gradle-plugin/) with the following code in `src/jte/xss.jte`:\n ```html\n @param String someMessage\n \u003c!DOCTYPE html\u003e\n \u003chtml lang=\"en\"\u003e\n \u003chead\u003e\n \u003ctitle\u003eXSS Test\u003c/title\u003e\n \u003cscript\u003ewindow.someVariable = `${someMessage}`;\u003c/script\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003ch1\u003eXSS Test\u003c/h1\u003e\n \u003c/body\u003e\n \u003c/html\u003e\n ```\n2. Use the following Java code to demonstrate the XSS vulnerability:\n ```java\n final StringOutput output = new StringOutput();\n JtexssGenerated.render(new OwaspHtmlTemplateOutput(output), null, \"` + alert(`xss`) + `\");\n renderHtml(output);\n ```\n\n### Impact\nHTML templates rendered by Jte\u0027s `OwaspHtmlTemplateOutput` in versions less than or equal to `3.1.15` with `script` tags or script attributes that contain Javascript template strings (backticks) are vulnerable.",
"id": "GHSA-vh22-6c6h-rm8q",
"modified": "2025-01-13T21:49:25Z",
"published": "2025-01-13T16:57:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/casid/jte/security/advisories/GHSA-vh22-6c6h-rm8q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23026"
},
{
"type": "WEB",
"url": "https://github.com/casid/jte/commit/a6fb00d53c7b8dbb86de933215dbe1b9191a57f1"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#description"
},
{
"type": "PACKAGE",
"url": "https://github.com/casid/jte"
},
{
"type": "WEB",
"url": "https://github.com/casid/jte/blob/main/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java#L43-L83"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "jte\u0027s HTML templates containing Javascript template strings are subject to XSS"
}
Mitigation
Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Strategy: Output Encoding
While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Mitigation
When using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about what to allow.
Mitigation
When using an LLM: during tokenizer training, suppress escape codes from the tokenizer's vocabulary. Depending on context, this could be accomplished by removing the codes from input to the tokenizer, or removing the map from the string to its token ID. It is generally unlikely that this removal would adversely affect the quality or correctness of what is generated, e.g. advice requests for terminal settings to change colors.
CAPEC-134: Email Injection
An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.
CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.