CVE-2021-32819

HIGH EXPLOITED IN THE WILD NUCLEI

Squirrelly <9.0.0 - RCE

Title source: llm

Description

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

Exploits (1)

nomisec WORKING POC 10 stars

by Abady0x1 · remote

https://github.com/Abady0x1/CVE-2021-32819

View Code ZIP pw:eip

Nuclei Templates (1)

Nodejs Squirrelly - Remote Code Execution

HIGHby pikpikcu

References (4)

[Exploit, Third Party Advisory] https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/

[Patch] https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e

[Patch] https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da

[Issue Tracking] https://github.com/squirrellyjs/squirrelly/pull/254

Scores

CVSS v3 8.0

EPSS 0.8962

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

VulnCheck KEV 2024-02-07

InTheWild.io 2021-04-18

CWE

CWE-200

Status published

Products (2)

npm/squirrelly 0 - 9.0.0npm

squirrelly/squirrelly 8.0.8

Published May 14, 2021

Tracked Since Feb 18, 2026