CVE-2021-32819

HIGH EXPLOITED IN THE WILD NUCLEI

squirrelly < 9.0.0 - Remote Code Execution via Express Render API

Title source: llm

Exploitation Summary

CVE-2021-32819 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Abady0x1. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit leverages SquirrellyJS template engine misconfiguration to inject malicious code via the 'defaultFilter' parameter, leading to remote code execution. It sends a crafted HTTP request with a reverse shell payload to the target application.

Description

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

Exploits (1)

nomisec WORKING POC 10 stars

by Abady0x1 · remote

https://github.com/Abady0x1/CVE-2021-32819

View Code ZIP pw:eip

The exploit leverages SquirrellyJS template engine misconfiguration to inject malicious code via the 'defaultFilter' parameter, leading to remote code execution. It sends a crafted HTTP request with a reverse shell payload to the target application.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SquirrellyJS v8.0.0 to v8.0.8

No auth needed

Prerequisites: Target application using vulnerable SquirrellyJS version · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Nodejs Squirrelly - Remote Code Execution

HIGHby pikpikcu

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/

Patch

https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e

View Patch ZIP pw:eip

Patch

https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da

View Patch ZIP pw:eip

Issue Tracking

https://github.com/squirrellyjs/squirrelly/pull/254

Scores

CVSS v3 8.0

EPSS 0.8962

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

VulnCheck KEV 2024-02-07

InTheWild.io 2021-04-18

CWE

CWE-200

Status published

Products (2)

npm/squirrelly 0 - 9.0.0npm

squirrelly/squirrelly 8.0.8

Published May 14, 2021

Tracked Since Feb 18, 2026