Server-Side Template Injection in Embedded JavaScript Templates for Node.js
CVE-2022-29078

9.8CRITICAL

Key Information:

Vendor: Ejs
Status: Ejs
Vendor: CVE Published:; 25 April 2022

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 93%

What is CVE-2022-29078?

The ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js is susceptible to server-side template injection. This occurs when the 'settings[view options][outputFunctionName]' is manipulated, allowing an attacker to replace the outputFunctionName option with a malicious OS command. This command is executed during the process of template compilation, potentially compromising the server's security.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-29078
Created by miko550

CVE-2022-29078
Created by l0n3m4n

expluatation_CVE-2022-29078
Created by liam-star-black-master

References

https://github.com/mde/ejs/releases

x_refsource_MISC

https://eslam.io/posts/ejs-server-side-template-injection...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20220804-0001/

x_refsource_CONFIRM

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Nov 5, 2024
👾
Exploit known to exist
Aug 3, 2024
Vulnerability published
Apr 25, 2022
Vulnerability Reserved
Apr 12, 2022

Ejs

Badges

What is CVE-2022-29078?

Exploit Proof of Concept (PoC)

References

EPSS Score

CVSS V3.1

Timeline