Denial of Service (DoS) Affecting ejs package, versions <2.5.5
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Denial of Service (DoS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:ejs:20161130-1
- published6 Dec 2016
- disclosed27 Nov 2016
- creditSnyk Security Research Team
Introduced: 27 Nov 2016
CVE-2017-1000189 (opens in a new tab)How to fix?
The vulnerability can be resolved by either using the GitHub integration to generate a pull-request from your dashboard or by running snyk wizard from the command-line interface.
Otherwise, Upgrade ejs to version 2.5.5 or higher.
Overview
ejs is a popular JavaScript templating engine.
Affected versions of the package are vulnerable to Denial of Service by letting the attacker under certain conditions control and override the localNames option causing it to crash.
You can read more about this vulnerability on the Snyk blog.
There's also a Remote Code Execution & Cross-site Scripting vulnerabilities caused by the same behaviour.
Details
ejs provides a few different options for you to render a template, two being very similar: ejs.render() and ejs.renderFile(). The only difference being that render expects a string to be used for the template and renderFile expects a path to a template file.
Both functions can be invoked in two ways. The first is calling them with template, data, and options:
ejs.render(str, data, options);
ejs.renderFile(filename, data, options, callback)
The second way would be by calling only the template and data, while ejs lets the options be passed as part of the data:
ejs.render(str, dataAndOptions);
ejs.renderFile(filename, dataAndOptions, callback)
If used with a variable list supplied by the user (e.g. by reading it from the URI with qs or equivalent), an attacker can control ejs options. This includes the localNames option, which will cause the renderer to crash.
ejs.renderFile('my-template', {localNames:'try'}, callback);
The fix introduced in version 2.5.3 blacklisted root options from options passed via the data object.
Disclosure Timeline
- November 28th, 2016 - Reported the issue to package owner.
- November 28th, 2016 - Issue acknowledged by package owner.
- December 06th, 2016 - Issue fixed and version
2.5.5released.