7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45390

CVE-2024-45390: @blakeembrey/template vulnerable to code injection when attacker controls template input

Impact

It is possible to inject and run code within the template if the attacker has access to write the template name.

const { template } = require('@blakeembrey/template');

template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned");

Patches

Upgrade to 1.2.0.

Workarounds

Don't pass untrusted input as the template display name, or don't use the display name feature.

References

Fixed by removing in https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45390

CVE-2024-45390:

7.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@blakeembrey/template	npm	< 1.2.0	1.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized use of the 'displayName' parameter in two key functions:

In compile(), the displayName was directly embedded in the generated function string (function ${displayName}(...)), allowing code injection.
In template(), the displayName parameter was passed to compile() without validation. The commit fixed this by removing displayName from both functions' signatures. The combination of these functions' parameter handling created an injection vector when untrusted input was supplied as displayName.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45390: @blakeembrey/template vulnerable to code injection when attacker controls template input

Impact

Patches

Workarounds

References

CVE-2024-45390:

7.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.3

7.3

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2024-45390: @blakeembrey/template vulnerable to code injection when attacker controls template input

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI