CVE-2022-25967
Remote Code Execution (RCE) vulnerability in eta (npm)
What is CVE-2022-25967 About?
The `eta` package before version 2.0.0 is vulnerable to Remote Code Execution (RCE) via overwriting template engine configuration variables with user-defined view options. This can allow an attacker to execute arbitrary code on the server. Exploitation requires user-defined data to be used when rendering templates and is moderately complex.
Affected Software
Technical Details
The RCE vulnerability in the eta template engine arises from insufficient isolation between template engine configuration variables and user-supplied view options during the rendering process. Specifically, versions prior to 2.0.0 allow an attacker to inject and overwrite internal configuration variables of the template engine by providing specially crafted data through the view options parameter of The Express render API. If these overwritten configuration variables introduce executable code paths or alter the execution flow of the template engine, the attacker can achieve arbitrary code execution on the server. This is particularly exploitable when applications render templates with user-defined data that is not adequately sanitized or validated before being passed as view options.
What is the Impact of CVE-2022-25967?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, data destruction, or denial of service.
What is the Exploitability of CVE-2022-25967?
Exploitation complexity is moderate. Prerequisites include an application using the eta template engine in a version prior to 2.0.0 and rendering templates with unvalidated or user-defined data passed into the view options. Authentication requirements depend on whether unauthenticated users can trigger template rendering with custom data. If so, no authentication is needed. Privilege requirements are those of the web application itself. Exploitation is remote, as it typically involves sending a malicious payload as part of a web request. The key special condition is that user-defined data must be incorporated into the template rendering process in a way that allows overwriting internal configuration variables. Risk factors increasing likelihood include applications that offer customizable themes, user-generated content that's templated, or administrative interfaces allowing template modifications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25967?
About the Fix from Resolved Security
Available Upgrade Options
- eta
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182
- https://osv.dev/vulnerability/GHSA-mf6x-hrgr-658f
- https://security.snyk.io/vuln/SNYK-JS-ETA-2936803
- https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21
- https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182
- https://security.snyk.io/vuln/SNYK-JS-ETA-2936803
- https://github.com/eta-dev/eta
- https://nvd.nist.gov/vuln/detail/CVE-2022-25967
- https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21
What are Similar Vulnerabilities to CVE-2022-25967?
Similar Vulnerabilities: CVE-2020-7798 , CVE-2021-23380 , CVE-2021-23472 , CVE-2020-15250 , CVE-2018-3729
