CVE-2022-25967: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(updated )
Versions of the package eta before 2.0.0 is vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. Note: This is exploitable only for users who are rendering templates with user-defined data.
References
- github.com/advisories/GHSA-mf6x-hrgr-658f
- github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21
- github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182
- github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
- nvd.nist.gov/vuln/detail/CVE-2022-25967
- security.snyk.io/vuln/SNYK-JS-ETA-2936803
Detect and mitigate CVE-2022-25967 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →