CVE-2022-25967

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in npm/eta

Identifiers

CVE-2022-25967, GHSA-mf6x-hrgr-658f

Package Slug

npm/eta

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Versions of the package eta before 2.0.0 is vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.

Affected Versions

All versions before 2.0.0

Solution

Upgrade to version 2.0.0 or above.

Last Modified

2023-02-01

source