Description
MJML prior to 4.6.3 contains a path traversal vulnerability when processing the mj-include directive within an MJML document.
Recommendation
Update the mjml package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.3
- Patched version(s): 4.6.3
References
- GHSA-4hch-r9xf-6vfr
- packetstormsecurity.com
- seclists.org
- CVE-2020-12827
- CWE-22
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827 - CVE-2025-67898
- nanotar is vulnerable to path traversal in parseTar() and parseTarGzip() - CVE-2025-69874
- @google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script - CVE-2026-4092
- Path traversal in rollup-plugin-serve - CVE-2020-7684
- Tags:
- npm
- mjml
Anything's wrong? Let us know Last updated on October 19, 2023