Miggo Logo
Miggo Vulnerability Database
CVE-2022-29078

CVE-2022-29078:
ejs template injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-29078
GHSA ID
GHSA-phwq-j96m-2c2q
EPSS Score
0.99812%
CWE
CWE-74
Published
4/26/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ejsnpm< 3.1.73.1.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The compile function directly embedded unvalidated outputFunctionName into generated JavaScript code, allowing command injection. 2) The option merging logic in renderFile allowed overwriting internal options via prototype pollution. The commit patched both by adding regex validation (_JS_IDENTIFIER) for option names and destructuredLocals entries, confirming these were the injection vectors. The template compilation's code generation is the ultimate execution point, while the option merging enabled the malicious payload delivery.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *js (*k* *m****** J*v*S*ript t*mpl*t*s) p**k*** *.*.* *or No**.js *llows s*rv*r-si** t*mpl*t* inj**tion in s*ttin*s[vi*w options][output*un*tionN*m*]. T*is is p*rs** *s *n int*rn*l option, *n* ov*rwrit*s t** output*un*tionN*m* option wit* *n *r*i

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** *ompil* *un*tion *ir**tly *m****** unv*li**t** output*un*tionN*m* into **n*r*t** J*v*S*ript *o**, *llowin* *omm*n* inj**tion. *) T** option m*r*in* lo*i* in r*n**r*il* *llow** ov*rwritin* int*rn*l o