CVE-2023-25344
📋 TL;DR
This vulnerability in Swig template engines allows attackers to execute arbitrary code by exploiting prototype pollution in Object.prototype. It affects applications using vulnerable versions of swig-templates (through 2.0.4) or swig (through 1.4.2) for server-side template rendering. Attackers can achieve remote code execution by crafting malicious template inputs.
💻 Affected Systems
- swig-templates
- swig
📦 What is this software?
Swig by Swig Project
Swig Templates by Swig Templates Project
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with arbitrary code execution leading to data theft, system takeover, and lateral movement within the network.
Likely Case
Remote code execution allowing attackers to read sensitive files, execute commands, and potentially pivot to other systems.
If Mitigated
Limited impact with proper input validation and sandboxing, potentially reduced to denial of service or information disclosure.
🎯 Exploit Status
Proof-of-concept exploits are publicly available. The vulnerability requires attacker-controlled template input but doesn't require authentication if templates accept user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: swig-templates 2.0.5+, swig 1.4.3+
Vendor Advisory: https://github.com/node-swig/swig-templates/issues/89
Restart Required: Yes
Instructions:
1. Update swig-templates to version 2.0.5 or higher using 'npm update swig-templates'. 2. Update swig to version 1.4.3 or higher using 'npm update swig'. 3. Restart your Node.js application to apply the update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to prevent malicious template content from reaching the Swig engine.
Template Sandboxing
allRun Swig templates in isolated environments or containers to limit potential damage from code execution.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all template inputs
- Deploy network segmentation and restrict outbound connections from affected systems
🔍 How to Verify
Check if Vulnerable:
Check package.json for swig-templates version <=2.0.4 or swig version <=1.4.2. Run 'npm list swig-templates' and 'npm list swig' to see installed versions.Check Version:
npm list swig-templates && npm list swigVerify Fix Applied:
Verify installed versions are swig-templates >=2.0.5 or swig >=1.4.3 using 'npm list swig-templates' and 'npm list swig'.📡 Detection & Monitoring
Log Indicators:
- Unusual template rendering errors
- Suspicious JavaScript execution in template contexts
- Unexpected file read operations
Network Indicators:
- Outbound connections from template rendering processes
- Unusual data exfiltration patterns
SIEM Query:
source="application.logs" AND ("swig" OR "swig-templates") AND ("prototype" OR "Object.prototype" OR "template error")🔗 References
- https://github.com/node-swig/swig-templates/issues/89
- https://www.gem-love.com/2023/02/01/Swig%E6%A8%A1%E6%9D%BF%E5%BC%95%E6%93%8E0day%E6%8C%96%E6%8E%98-%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E5%92%8C%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
- https://github.com/node-swig/swig-templates/issues/89
- https://www.gem-love.com/2023/02/01/Swig%E6%A8%A1%E6%9D%BF%E5%BC%95%E6%93%8E0day%E6%8C%96%E6%8E%98-%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E5%92%8C%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/
