Remote Code Execution Vulnerability in Node.js EJS by XSS Risk
CVE-2017-1000228

9.8CRITICAL

Key Information:

Vendor: Ejs
Status: Ejs
Vendor: CVE Published:; 17 November 2017

What is CVE-2017-1000228?

The EJS templating engine in Node.js, specifically versions prior to 2.5.3, is susceptible to remote code execution attacks. This vulnerability arises from insufficient input validation in the ejs.renderFile() function, potentially allowing attackers to execute arbitrary code. Developers using affected versions should update to the latest release to mitigate risks associated with this vulnerability and secure their applications against unauthorized access.

References

http://www.securityfocus.com/bid/101897

vdb-entryx_refsource_BID

https://snyk.io/vuln/npm:ejs:20161128

x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 17, 2017
Vulnerability Reserved
Nov 16, 2017

Ejs

What is CVE-2017-1000228?

References

EPSS Score

CVSS V3.1

Timeline