CVE-2021-32818: 
JavaScript vulnerability analysis and mitigation

The CVE-2021-32818 vulnerability affects haml-coffee version 1.14.1 and earlier. This vulnerability was discovered and reported on May 14, 2021, and involves remote code execution (RCE) and reflected cross-site scripting (XSS) risks in the haml-coffee template engine when used with Express. The vulnerability stems from the template engine's configuration options being passed through the Express render API (GitHub Security Lab).

The vulnerability exists because haml-coffee supports overriding HTML helper functions through its configuration options. When used with Express's render API, the engine mixes pure template data with engine configuration options, which can lead to security issues if user-controlled request objects are passed to the template engine. Specifically, control over parameters like customHtmlEscape and escapeHtml can trigger RCE or XSS vulnerabilities in downstream applications (GitHub Security Lab).

The vulnerability has two main impact vectors: 1) Remote Code Execution (RCE) through the customHtmlEscape parameter, allowing attackers to execute arbitrary code on the server, and 2) Reflected Cross-Site Scripting (XSS) through the escapeHtml parameter, which can be used to bypass HTML sanitization and execute malicious scripts in users' browsers (GitHub Security Lab).

The issue affects haml-coffee version 1.14.1, which was the latest version at the time of disclosure. Applications should avoid passing user-controlled objects directly to the template engine's render function and implement proper validation of all user inputs before they reach the template engine (GitHub Security Lab).