cbcvebase.
CVE-2017-1000228
published 2017-11-17

CVE-2017-1000228: nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
6.33%
92.8th percentile
nodejs ejs versions older than 2.5.3 is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function

Affected

3 ranges
VendorProductVersion rangeFixed in
debiannode-ejs< node-ejs 2.5.7-1 (bookworm)node-ejs 2.5.7-1 (bookworm)
ejsejs< 2.5.32.5.3
ejsejs>= 0 < 2.5.52.5.5

Detection & IOCsextracted from sources · hover to see the quote

  • Target function for exploitation is ejs.renderFile() — monitor for unexpected or unsanitized user-controlled input passed to this function in Node.js applications using EJS versions older than 2.5.3
  • ·Vulnerability is scoped as local exploitation; remote code execution requires the attacker to influence input passed to ejs.renderFile() within the local application context
  • ·All Debian tracked branches (bookworm, bullseye, forky, sid, trixie) are resolved at package version 2.5.7-1; ensure deployed EJS is at least 2.5.3 (upstream fix) or 2.5.7-1 (Debian package)

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.