ejs lacks certain pollution protection
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
Advisories for Npm/Ejs package
2024
2023
False positive
This advisory has been marked as a false positive. See https://github.com/mde/ejs/issues/720#issuecomment-1587399501
2022
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
2017
Improper Input Validation
The ejs module is vulnerable to a denial-of-service due to weak input validation in the ejs.renderFile().
Improper Input Validation
The ejs module is vulnerable to remote code execution due to weak input validation in ejs.renderFile() function.
Cross-site Scripting
The ejs module is vulnerable to a Cross-site-scripting in ejs.renderFile().