CVE-2024-45390 – CVE-2024-45390 is a code injection vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2024-45390 is a code injection vulnerability in the @blakeembrey/template JavaScript library that allows attackers to execute arbitrary code when they can control template names. This affects applications using vulnerable versions of this template library with untrusted input for template display names. Developers using this library in web applications or Node.js services are at risk.

💻 Affected Systems

Products:

@blakeembrey/template

Versions: All versions prior to 1.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using the display name feature with attacker-controlled input

📦 What is this software?

Template by Blakeembrey

View all CVEs affecting Template →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption

🟠

Likely Case

Limited code execution within the application context, potentially allowing data access or privilege escalation

🟢

If Mitigated

No impact if untrusted input is not passed to template display names or display name feature is disabled

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to control template display name input

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0

Vendor Advisory: https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj

Restart Required: Yes

Instructions:

1. Update package.json to require @blakeembrey/template version 1.2.0 or higher
2. Run npm update @blakeembrey/template
3. Restart your application

🔧 Temporary Workarounds

Disable display name feature

all

Avoid using the display name parameter or ensure it only receives trusted input

Input validation

all

Implement strict input validation for template display names

🧯 If You Can't Patch

Remove or disable the display name feature entirely
Implement strict input validation and sanitization for all template parameters

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for @blakeembrey/template version <1.2.0

Check Version:

npm list @blakeembrey/template

Verify Fix Applied:

Verify @blakeembrey/template version is 1.2.0 or higher in package.json

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors
Suspicious template names containing code-like patterns

Network Indicators:

Unusual outbound connections from template processing services

SIEM Query:

source="application_logs" AND ("template error" OR "@blakeembrey/template") AND ("eval" OR "Function" OR suspicious_patterns)

📊 Metadata

CVE ID: CVE-2024-45390

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

Published: September 3, 2024

Last Updated: September 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45390, you might also want to check these: