CVE-2022-29078
Arbitrary OS Command Execution vulnerability in ejs
What is CVE-2022-29078 About?
This vulnerability affects the `ejs` package (v3.1.6 and earlier) in Node.js, allowing for server-side template injection. An attacker can exploit the `settings[view options][outputFunctionName]` parameter to inject and execute arbitrary OS commands upon template compilation. This is a severe vulnerability that can lead to remote code execution and is relatively easy to exploit.
Affected Software
Technical Details
The `ejs` (Embedded JavaScript templates) package, specifically in versions up to and including 3.1.6, is vulnerable to server-side template injection. The flaw resides in the handling of the `settings[view options][outputFunctionName]` parameter. This parameter is parsed as an internal option within the `ejs` engine. A malicious actor can craft input that overwrites the `outputFunctionName` option with an arbitrary Operating System (OS) command. When the template is subsequently compiled, the `ejs` engine will execute this injected OS command, leading to arbitrary command execution on the server. The attack vector is through controlled input that influences the template compilation process and the `outputFunctionName` parameter.
What is the Impact of CVE-2022-29078?
Successful exploitation may allow attackers to execute arbitrary operating system commands on the server, potentially leading to full system compromise, data theft, or complete control over the affected application.
What is the Exploitability of CVE-2022-29078?
Exploitation requires the ability to control input that is used to configure or compile EJS templates, specifically affecting the `outputFunctionName` option. The complexity is low to medium, as it involves crafting a specific payload within a template option. No explicit authentication is required on the underlying OS, only the ability to supply the malicious input to the EJS template compilation. Remote access is possible if the application allows user input to control template compilation parameters. No special privileges are required beyond what's needed to interact with the application's templating engine. The key prerequisite is an application using `ejs` and allowing external control over template compilation settings. Disk factors increase when `ejs` is exposed to untrusted input without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| miko550 | Link | vuln ejs 3.1.6 docker |
| l0n3m4n | Link | Serverside Template Injection (SSTI) RCE - THM challenge "whiterose" |
| shurochka1396 | Link | PoC for CVE-2022-29078 |
What are the Available Fixes for CVE-2022-29078?
About the Fix from Resolved Security
The patch fixes CVE-2022-29078 by ensuring that user-supplied values for outputFunctionName, localsName, and entries in destructuredLocals are validated as valid JavaScript identifiers before being used to construct code dynamically. This prevents attackers from injecting arbitrary JavaScript via these options, blocking code execution and template injection vulnerabilities.
Available Upgrade Options
- ejs
- <3.1.7 → Upgrade to 3.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-phwq-j96m-2c2q
- https://nvd.nist.gov/vuln/detail/CVE-2022-29078
- https://github.com/mde/ejs/releases
- https://security.netapp.com/advisory/ntap-20220804-0001
- https://security.netapp.com/advisory/ntap-20220804-0001/
- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf
- https://github.com/mde/ejs
- https://eslam.io/posts/ejs-server-side-template-injection-rce/
- https://eslam.io/posts/ejs-server-side-template-injection-rce
- https://github.com/mde/ejs/releases
What are Similar Vulnerabilities to CVE-2022-29078?
Similar Vulnerabilities: CVE-2022-21724 , CVE-2021-44228 , CVE-2021-45046 , CVE-2022-23305 , CVE-2022-31160
