mustache.js vulnerable?

  • Unknown's avatar
    nils23 · Member ·

    Hi there,
    a now-defunct site of mine was recently audited, and one of the findings was that there an old version of mustache.js included somehow:
    s0.wp.com/wp-content/js/mustache.js?ver=11.5.1-202247

    Supposedly this is vulnerable? In the code it says v0.5. something, not 11.5.1, which is really, really old, so I thought you might have missed updating the version number? Do you have any infos on that, maybe?

    All help would be very much appreciated!

    Thanks,

    nils

    The blog I need help with is: (visible only to logged in users)

  • aleone89 · Staff ·

    Hello Nils,

    Many thanks for reaching out.

    What is the URL of the defunct site and is it still active?

    s0.wp.com/wp-content/js/mustache.js?ver=11.5.1-202247

    I’m not too sure about the vulnerability you mention, but it looks like this a cached file from Jetpack’s CDN.

    It may be possible to remove this cached file.

  • Unknown's avatar
    nils23 · Member ·

    Hey aleone,

    thanks for your reply! – The site’s offline right now, but I found out where it was from: It’s been the Jetpack plugin!

    The problem is, that the file is actually v0.5.0-dev — this is really old and bug-ridden…

    I guess I have to go to Jetpack with this…?

  • machellie · Staff ·

    H there,

    Thanks for the detailed information here.

    The vulnerability is very narrow: it’s only a problem if mustache templates have dynamic unquoted attributes: https://snyk.io/vuln/npm:mustache:20151207

    Jetpack is only using mustache.js it for notifications (whose JS is also hosted by WP.com).

    That notifications script does not use mustache in that way, so we’re not using it in a vulnerable way.

    Saying that, we are looking into updating the use of mustache.js.

    Can you confirm whether you are using Jetpack on the site you are having this issue with? If you could, share a link here with us to the site.

    Looking forward to hearing from you.

  • Unknown's avatar
    nils23 · Member ·

    Thanks for the info! – Are you sure that you not using it in a vulnerable way bars everybody else from using it that way? :-)

    I had to switch Jetpack off for now, I’ve got them pentesters on my back!

    I would very much appreciate an update to mustache… I paid for Jetpack security and can’t use it now, as I can’t explain that old version to my customer(s pentesters)…

  • staff-doublebassd · Staff ·

    Thanks for the info! – Are you sure that you not using it in a vulnerable way bars everybody else from using it that way?

    We’re certain! We will definitely update mustache soon, but it is not being used by the notifications script, so there isn’t an urgency to do so based on a potential vulnerability.

    Hope this helps.

  • The topic ‘mustache.js vulnerable?’ is closed to new replies.