CVE-2015-8862 Mustache.js Project CVE debrief

Who should care

Teams running Node.js applications that use mustache to render HTML templates, especially if templates contain unquoted attributes or render untrusted values into markup.

Technical summary

The NVD record states that mustache package versions before 2.2.1 are vulnerable to XSS when a template contains an attribute that is not quoted. The mapped weakness is CWE-79. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network-reachable impact with user interaction required and limited confidentiality/integrity effects.

Defensive priority

Medium. The issue is important for applications that generate browser-facing HTML from mustache templates, but mitigation is primarily an upgrade and template hygiene task rather than an emergency response.

Recommended defensive actions

• Upgrade mustache to version 2.2.1 or later everywhere it is used.
• Search templates for unquoted HTML attributes and convert them to quoted attributes.
• Review any rendering paths that place untrusted or partially trusted data into HTML output.
• Re-test pages and components that use mustache-rendered attributes after upgrading.
• Add dependency scanning or inventory checks so older mustache versions are flagged during builds and releases.

Evidence notes

The evidence corpus includes the NVD CVE record and linked references. NVD lists the vulnerable CPE range as mustache.js_project versions up to and including 2.2.0, with CWE-79 and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. NVD references a mailing-list advisory dated 2016-04-20, a Node Security advisory (62) marked as Exploit/Patch/Vendor Advisory, and a Tenable advisory, which support the product/version and remediation framing.

Official resources