MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827

Description

MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type=”css” case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 4.18.0

References

• GHSA-45h5-66jx-r2wf
• CVE-2025-67898
• CWE-36
• CAPEC-310
• OWASP 2021-A6

Related Issues

• MJML vulnerable to path traversal - CVE-2020-12827
• Mammoth is vulnerable to Directory Traversal - CVE-2025-11849
• simplehttpserver allows directory traversal and file listing - CVE-2018-3787
• Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax - CVE-2026-42043

You might also like:

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

mjml