CVE-2017-1000228
published 2017-11-17CVE-2017-1000228: nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.33%
92.8th percentile
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ejs | < node-ejs 2.5.7-1 (bookworm) | node-ejs 2.5.7-1 (bookworm) |
| ejs | ejs | < 2.5.3 | 2.5.3 |
| ejs | ejs | >= 0 < 2.5.5 | 2.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target function for exploitation is ejs.renderFile() — monitor for unexpected or unsanitized user-controlled input passed to this function in Node.js applications using EJS versions older than 2.5.3 ↗
- ·Vulnerability is scoped as local exploitation; remote code execution requires the attacker to influence input passed to ejs.renderFile() within the local application context ↗
- ·All Debian tracked branches (bookworm, bullseye, forky, sid, trixie) are resolved at package version 2.5.7-1; ensure deployed EJS is at least 2.5.3 (upstream fix) or 2.5.7-1 (Debian package) ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ejs is vulnerable to remote code execution due to weak input validation
ghsa·2017-11-30
CVE-2017-1000228 [CRITICAL] CWE-20 ejs is vulnerable to remote code execution due to weak input validation
ejs is vulnerable to remote code execution due to weak input validation
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in `ejs.renderFile()` function
OSV
ejs is vulnerable to remote code execution due to weak input validation
osv·2017-11-30
CVE-2017-1000228 [CRITICAL] ejs is vulnerable to remote code execution due to weak input validation
ejs is vulnerable to remote code execution due to weak input validation
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in `ejs.renderFile()` function
OSV
CVE-2017-1000228: nodejs ejs versions older than 2
osv·2017-11-17·CVSS 9.8
CVE-2017-1000228 [CRITICAL] CVE-2017-1000228: nodejs ejs versions older than 2
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
Debian
CVE-2017-1000228: node-ejs - nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due ...
vendor_debian·2017·CVSS 9.8
CVE-2017-1000228 [CRITICAL] CVE-2017-1000228: node-ejs - nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due ...
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function
Scope: local
bookworm: resolved (fixed in 2.5.7-1)
bullseye: resolved (fixed in 2.5.7-1)
forky: resolved (fixed in 2.5.7-1)
sid: resolved (fixed in 2.5.7-1)
trixie: resolved (fixed in 2.5.7-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-11-17
Published