CVE-2022-25967
HIGHeta < 2.0.0 - Remote Code Execution via Express Render API View Options
Title source: llmDescription
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
References (4)
Core 4
Core References
Broken Link
https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21
Broken Link
https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182
Patch, Third Party Advisory
https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-ETA-2936803
Scores
CVSS v3
8.1
EPSS
0.1902
EPSS Percentile
95.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
eta.js/eta
< 2.0.0
npm/eta
0 - 2.0.0npm
Published
Jan 30, 2023
Tracked Since
Feb 18, 2026