CVE-2022-29078: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

April 25, 2022 (updated August 8, 2023)

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

References

eslam.io/posts/ejs-server-side-template-injection-rce/
github.com/advisories/GHSA-phwq-j96m-2c2q
github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf
nvd.nist.gov/vuln/detail/CVE-2022-29078

Code Behaviors & Features

Detect and mitigate CVE-2022-29078 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →