Login Sign Up

CVE-2023-29827

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-29827 is a server-side template injection vulnerability in ejs v3.1.9 that allows attackers to execute arbitrary code if they can control template files. This affects applications using ejs with untrusted template input, though the vendor disputes this as intended usage. The vulnerability stems from improper input validation in the closeDelimiter parameter configuration.

💻 Affected Systems

Products:
  • ejs (Embedded JavaScript templates)
Versions: v3.1.9 specifically
Operating Systems: All platforms where ejs is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when ejs render function is used with untrusted template input, which the vendor considers out of scope.

📦 What is this software?

Ejs by Ejs

View all CVEs affecting Ejs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Limited code execution within the application context, potentially allowing file system access and data exfiltration.

🟢

If Mitigated

No impact if ejs is used only with trusted templates as intended by the vendor.

🌐 Internet-Facing: HIGH if applications accept untrusted template input from external sources.
🏢 Internal Only: MEDIUM if internal applications process untrusted templates, LOW if only trusted templates are used.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires control over template files. The vulnerability is well-documented in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.1.10 and later

Vendor Advisory: https://github.com/mde/ejs/blob/main/SECURITY.md

Restart Required: Yes

Instructions:

1. Update ejs package to v3.1.10 or later using npm update ejs. 2. Restart the application to load the updated package. 3. Verify the version is updated.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to ensure only trusted templates are processed by ejs render function.

Template whitelisting

all

Maintain a whitelist of allowed template files and reject any untrusted template input.

🧯 If You Can't Patch

  • Isolate ejs usage to only process pre-approved, trusted template files from secure sources.
  • Implement network segmentation to limit potential lateral movement if exploitation occurs.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list ejs to see if version is exactly 3.1.9.

Check Version:

npm list ejs | grep ejs

Verify Fix Applied:

Confirm ejs version is 3.1.10 or higher using npm list ejs command.

📡 Detection & Monitoring

Log Indicators:

  • Unusual template file paths in ejs render calls
  • Unexpected closeDelimiter parameter values
  • Error logs showing template parsing failures

Network Indicators:

  • Outbound connections from application servers to unexpected destinations
  • Unusual data exfiltration patterns

SIEM Query:

source="application.logs" AND "ejs" AND ("render" OR "closeDelimiter") AND status="error"

📊 Metadata

CVE ID: CVE-2023-29827
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: May 4, 2023
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29827, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)