Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE4ajYtcHdxeC1wbTk2

Insecure template handling in Squirrelly

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced GHSL-2021-023.

Permalink: https://github.com/advisories/GHSA-q8j6-pwqx-pm96
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE4ajYtcHdxeC1wbTk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: about 1 year ago

CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-q8j6-pwqx-pm96, CVE-2021-32819
References:

Repository: https://github.com/squirrellyjs/squirrelly
Blast Radius: 21.9

Affected Packages

npm:squirrelly

Dependent packages: 95
Dependent repositories: 540
Downloads: 116,720 last month
Affected Version Ranges: <= 8.0.8
Fixed in: 9.0.0
All affected versions: 1.0.0, 1.0.2, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 3.0.0, 3.0.1, 3.0.2, 4.0.0, 4.1.0, 5.0.0, 5.0.1, 5.1.0, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.9.1, 7.9.2, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8
All unaffected versions: 9.0.0, 9.1.0