ejs is vulnerable to remote code execution due to weak input validation

Description

nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Recommendation

Update the ejs package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.5.3
• Patched version(s): 2.5.5

References

• GHSA-3w5v-p54c-f74x
• snyk.io
• web.archive.org
• CVE-2017-1000228
• CWE-20
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
• Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 10 - Vulnerability
• @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 3 - CVE-2024-52810
• @intlify/shared Prototype Pollution vulnerability (GHSA-hjwq-mjwj-4x6c) 2 - CVE-2024-52810

Tags:

npm

ejs