Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNzY1LXdtOWotNjZxas4AA_QB
@blakeembrey/template vulnerable to code injection when attacker controls template input
Impact
It is possible to inject and run code within the template if the attacker has access to write the template name.
const { template } = require('@blakeembrey/template');
template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned");
Patches
Upgrade to 1.2.0.
Workarounds
Don't pass untrusted input as the template display name, or don't use the display name feature.
References
Fixed by removing in https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.
Permalink: https://github.com/advisories/GHSA-q765-wm9j-66qjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNzY1LXdtOWotNjZxas4AA_QB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 5 days ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-q765-wm9j-66qj, CVE-2024-45390
References:
- https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj
- https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa
- https://nvd.nist.gov/vuln/detail/CVE-2024-45390
- https://github.com/advisories/GHSA-q765-wm9j-66qj
Blast Radius: 26.2
Affected Packages
npm:@blakeembrey/template
Dependent packages: 2Dependent repositories: 3,851
Downloads: 510,089 last month
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 1.0.0, 1.1.0
All unaffected versions: 1.2.0