Description
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Recommendation
Update the ejs package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.1.7
- Patched version(s): 3.1.7
References
- GHSA-phwq-j96m-2c2q
- eslam.io
- security.netapp.com
- CVE-2022-29078
- CWE-74
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- CouchAuth has a Server-Side Template Injection vulnerability in its email functionality - CVE-2024-57177
- Nadesiko3 OS Command Injection vulnerability - CVE-2022-41642
- @okta/oidc-middlewareOpen Redirect vulnerability - CVE-2022-3145
- Denial of Service (DoS) vulnerability in RSSHub - CVE-2022-31110
- Tags:
- npm
- ejs
Anything's wrong? Let us know Last updated on January 30, 2023