CVE-2022-29078

CRITICAL EXPLOITED NUCLEI

ejs 3.1.6 - Server-Side Template Injection via outputFunctionName Option

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-29078 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including miko550, l0n3m4n, amusedx. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository demonstrates a Server-Side Template Injection (SSTI) vulnerability in EJS 3.1.6, leading to Remote Code Execution (RCE). The exploit leverages malicious input in the 'settings' query parameter to execute arbitrary commands via Node.js's child_process module.

Description

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Exploits (6)

nomisec WORKING POC 8 stars
by miko550 · remote
https://github.com/miko550/CVE-2022-29078

This repository demonstrates a Server-Side Template Injection (SSTI) vulnerability in EJS 3.1.6, leading to Remote Code Execution (RCE). The exploit leverages malicious input in the 'settings' query parameter to execute arbitrary commands via Node.js's child_process module.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: EJS (Embedded JavaScript templates) 3.1.6
No auth needed
Prerequisites: Docker environment to run the vulnerable application · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by l0n3m4n · remote-auth
https://github.com/l0n3m4n/CVE-2022-29078

This is a functional exploit for CVE-2022-29078, targeting a Server-Side Template Injection (SSTI) vulnerability in the EJS package for Node.js. It delivers a reverse shell payload via a crafted POST request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: EJS (Embedded JavaScript templates) package 3.1.6 for Node.js
Auth required
Prerequisites: Target URL with vulnerable EJS endpoint · Valid credentials for authentication · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by amusedx · poc
https://github.com/amusedx/CVE-2022-29078

This repository contains a functional proof-of-concept for CVE-2022-29078, demonstrating a server-side template injection vulnerability in an Express.js application using EJS. The exploit showcases multi-hop taint propagation from user-controlled input to EJS template rendering, bypassing ineffective sanitization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Express.js applications using EJS templates
No auth needed
Prerequisites: Express.js application with EJS template rendering · User-controlled input passed to EJS templates
devstral-2 · analyzed Apr 13, 2026 Full analysis →
nomisec WORKING POC
by seal-sec-demo-2 · poc
https://github.com/seal-sec-demo-2/npm-demo

This repository demonstrates CVE-2022-29078, a server-side template injection vulnerability in EJS 2.7.4, allowing arbitrary JavaScript execution via the `outputFunctionName` parameter. The PoC includes a functional exploit URL that triggers a server crash and explains how Seal Security's patch mitigates the issue.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: EJS 2.7.4
No auth needed
Prerequisites: Express.js application using EJS 2.7.4 as a template engine · User-controlled input passed to EJS's `render()` method
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by chuckdu21 · remote
https://github.com/chuckdu21/CVE-2022-29078

This PoC exploits CVE-2022-29078, a remote code execution vulnerability in EJS (Embedded JavaScript templates) version 3.1.6. It leverages a prototype pollution attack to inject malicious code into the 'outputFunctionName' setting, allowing arbitrary command execution via Node.js's 'child_process' module.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: EJS (Embedded JavaScript templates) 3.1.6
No auth needed
Prerequisites: Target application using vulnerable EJS version · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by shurochka1396 · poc
https://github.com/shurochka1396/expluatation_CVE-2022-29078

This repository contains a basic Express.js application with EJS templating but lacks any exploit code or demonstration of CVE-2022-29078. It appears to be a placeholder or incomplete PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (no exploit implementation)
No auth needed
Prerequisites: None (no exploit present)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Node.js Embedded JavaScript 3.1.6 - Template Injection
CRITICALby For3stCo1d

References (3)

Core 3
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/mde/ejs/releases
Exploit, Patch, Third Party Advisory x_refsource_misc
https://eslam.io/posts/ejs-server-side-template-injection-rce/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220804-0001/

Scores

CVSS v3 9.8
EPSS 0.9346
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-09-18
CWE
CWE-94
Status published
Products (2)
ejs/ejs 3.1.6
npm/ejs 0 - 3.1.7npm
Published Apr 25, 2022
Tracked Since Feb 18, 2026