CVE-2017-1000189
Denial of Service vulnerability in ejs (npm)
What is CVE-2017-1000189 About?
The `ejs` package in Node.js, specifically versions older than 2.5.5, is vulnerable to a denial-of-service due to weak input validation in its `ejs.renderFile()` function. This flaw allows an attacker to render the application unresponsive. Exploitation is generally straightforward given the weak input validation.
Affected Software
Technical Details
Versions of the ejs package older than 2.5.5 in Node.js suffer from a denial-of-service vulnerability rooted in insufficient input validation within the ejs.renderFile() function. When ejs.renderFile() processes untrusted or malformed input, it fails to properly sanitize or validate the provided data. This weak validation can lead to resource exhaustion, such as excessive memory allocation or CPU usage, potentially triggered by crafting specific template structures or input data that cause the EJS renderer to enter an inefficient or infinite loop, or attempt to process an unreasonably large amount of data. Consequently, the Node.js process becomes unresponsive or crashes, leading to a denial of service for legitimate users of the application.
What is the Impact of CVE-2017-1000189?
Successful exploitation may allow attackers to crash the application or render it unresponsive, leading to a complete denial of service.
What is the Exploitability of CVE-2017-1000189?
Exploitation of this vulnerability involves providing specially crafted input to an application that uses ejs.renderFile() with a vulnerable version of the ejs package. The complexity of crafting such input would depend on the specific weaknesses in the input validation, but the vulnerability description suggests it's due to 'weak input validation,' implying it may not be overly complex. No specific authentication or privileges are required if the application exposes an endpoint that processes user-controlled data via ejs.renderFile(). The attack is typically remote, as an attacker can send malicious input over the network. The primary risk factor is the application's direct exposure of user-controlled input to ejs.renderFile() without proper sanitization or validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-1000189?
About the Fix from Resolved Security
Available Upgrade Options
- ejs
- <2.5.5 → Upgrade to 2.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-6x77-rpqf-j6mw
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000189
- https://web.archive.org/web/20171123041449/http://www.securityfocus.com/bid/101893
- https://github.com/mde/ejs
- https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f
- https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f
- https://github.com/advisories/GHSA-6x77-rpqf-j6mw
- http://www.securityfocus.com/bid/101893
What are Similar Vulnerabilities to CVE-2017-1000189?
Similar Vulnerabilities: CVE-2017-1000188 , CVE-2019-1000018 , CVE-2019-15655 , CVE-2017-16137 , CVE-2014-7191
