Login Sign Up

CVE-2022-29078

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-29078 is a critical server-side template injection vulnerability in the EJS package for Node.js that allows remote code execution. Attackers can inject arbitrary OS commands through the outputFunctionName option, which are executed during template compilation. This affects any Node.js application using vulnerable versions of the EJS templating engine.

💻 Affected Systems

Products:
  • EJS (Embedded JavaScript templates)
Versions: 3.1.6 and earlier versions
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application using EJS templates with user-controllable template options is vulnerable. The vulnerability exists in how EJS processes the outputFunctionName option.

📦 What is this software?

Ejs by Ejs

View all CVEs affecting Ejs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to application takeover, sensitive data exposure, and potential deployment of malware or cryptominers.

🟢

If Mitigated

Limited impact due to proper input validation, sandboxing, and network segmentation preventing command execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can execute arbitrary commands by injecting malicious payloads into the outputFunctionName parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.7 and later

Vendor Advisory: https://github.com/mde/ejs/releases

Restart Required: Yes

Instructions:

1. Update EJS package to version 3.1.7 or later using npm update ejs. 2. Restart the Node.js application. 3. Verify the update with npm list ejs.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to prevent user-controlled values from being passed to EJS template options.

Environment Hardening

all

Run Node.js application with least privilege, disable unnecessary system commands, and implement network segmentation.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block suspicious template injection patterns
  • Isolate vulnerable applications in restricted network segments with no internet access

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list ejs to see if version is 3.1.6 or earlier

Check Version:

npm list ejs | grep ejs

Verify Fix Applied:

Confirm npm list ejs shows version 3.1.7 or later and test template functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual template compilation errors
  • Suspicious command execution in application logs
  • Abnormal process spawning from Node.js

Network Indicators:

  • Outbound connections to suspicious IPs from Node.js process
  • Unexpected data exfiltration patterns

SIEM Query:

source="application.logs" AND ("outputFunctionName" OR "EJS" OR "template injection") AND severity="critical"

📊 Metadata

CVE ID: CVE-2022-29078
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: April 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29078, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)