CVE-2021-23443: 
JavaScript vulnerability analysis and mitigation

A type confusion vulnerability (CVE-2021-23443) was discovered in the edge.js package versions before 5.3.2. The vulnerability was disclosed on September 1, 2021, and published on September 21, 2021. Edge.js is a Node.js templating engine that allows for HTML escaping to prevent XSS attacks. The vulnerability affects the input sanitization mechanism when handling array inputs instead of strings or SafeValue objects (Snyk Blog, NVD).

The vulnerability exists in the escape function of edge.js where input sanitization can be bypassed when the input to be rendered is an array instead of a string or SafeValue, even when using {{ }} template syntax. The CVSS v3.1 base score is 6.1 (Medium) according to NVD, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-843 (Access of Resource Using Incompatible Type - 'Type Confusion') (NVD, Snyk Advisory).

When exploited, this vulnerability could lead to Cross-site Scripting (XSS) attacks by bypassing the built-in HTML escaping functionality. This could allow attackers to inject malicious scripts into web applications using the edge.js template engine, potentially leading to cookie theft, session hijacking, or delivery of malware (Snyk Advisory).

The vulnerability was fixed in edge.js version 5.3.2. The fix involves modifying the escape function to properly handle all input types by converting them to strings before applying HTML escaping. Users should upgrade to version 5.3.2 or higher to address this vulnerability (Edge.js Commit).