Skip to content

@blakeembrey/template vulnerable to code injection when attacker controls template input

High severity GitHub Reviewed Published Sep 3, 2024 in blakeembrey/js-template • Updated Sep 3, 2024

Package

npm @blakeembrey/template (npm)

Affected versions

< 1.2.0

Patched versions

1.2.0

Description

Impact

It is possible to inject and run code within the template if the attacker has access to write the template name.

const { template } = require('@blakeembrey/template');

template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned");

Patches

Upgrade to 1.2.0.

Workarounds

Don't pass untrusted input as the template display name, or don't use the display name feature.

References

Fixed by removing in blakeembrey/js-template@b8d9aa9.

References

@blakeembrey blakeembrey published to blakeembrey/js-template Sep 3, 2024
Published to the GitHub Advisory Database Sep 3, 2024
Reviewed Sep 3, 2024
Published by the National Vulnerability Database Sep 3, 2024
Last updated Sep 3, 2024

Severity

High

EPSS score

0.093%
(40th percentile)

Weaknesses

CVE ID

CVE-2024-45390

GHSA ID

GHSA-q765-wm9j-66qj

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.