Executive Summary

This vulnerability exists in the Marko framework, a declarative HTML-based language for building web applications. Before versions 5.38.36 of marko and 6.0.164 of @marko/runtime-tags, when dynamic text was inserted inside <script> or <style> tags, the Marko runtime did not properly prevent tag breakout if the closing tag used uppercase or mixed-case letters (e.g., </SCRIPT>, </Style>).

An attacker who can inject input inside these tags could exploit this to break out of the intended <script> or <style> block and inject arbitrary HTML or JavaScript code, leading to a cross-site scripting (XSS) vulnerability.

This issue has been fixed in marko version 5.38.36 and @marko/runtime-tags version 6.0.164.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform cross-site scripting (XSS) attacks by injecting arbitrary HTML or JavaScript into your web application.

Such attacks can lead to unauthorized actions on behalf of users, theft of sensitive information like cookies or session tokens, defacement of the website, or distribution of malware.

Because the vulnerability arises from improper handling of dynamic content inside <script> or <style> tags, any application using vulnerable versions of Marko or @marko/runtime-tags is at risk if user input is not properly sanitized.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Marko to version 5.38.36 or later and @marko/runtime-tags to version 6.0.164 or later. These versions include patches that prevent tag breakout when dynamic text is interpolated into <script> or <style> tags.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to inject arbitrary HTML or JavaScript via cross-site scripting (XSS) by breaking out of <script> or <style> tags when dynamic text interpolation is used unsafely. Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, and other malicious activities.

Because of these risks, the vulnerability could impact compliance with data protection and privacy regulations such as GDPR and HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and breaches.

Exploiting this vulnerability could result in exposure or compromise of personal data, potentially leading to violations of these standards if not properly mitigated.

To maintain compliance, affected users should upgrade to the patched versions or sanitize untrusted data before interpolation to prevent exploitation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by identifying Marko templates that interpolate dynamic text inside <script> or <style> tags without proper case-insensitive handling of closing tags. Specifically, look for usage of vulnerable versions of marko (before 5.38.36) or @marko/runtime-tags (before 6.0.164) in your projects.

To detect potential exploitation attempts on your system or network, you can monitor HTTP requests or logs for suspicious payloads containing mixed-case closing tags like </SCRIPT> or </Style> inside script or style blocks, which indicate attempts to break out of these tags.

Suggested commands include searching your codebase for vulnerable package versions and unsafe interpolation patterns:

• Check installed package versions (example for npm): npm list marko @marko/runtime-tags
• Search code for interpolation inside script or style tags: grep -rE '<script[^>]*>.*\$\{.*\}.*</script>' ./
• Search logs or network traffic for suspicious payloads with mixed-case closing tags: grep -iE '</script>|</style>' /path/to/logs/*

Upgrading to patched versions or sanitizing inputs before interpolation is recommended to mitigate this vulnerability.

Useful 0 Not Useful 0