## CVE-2022-29078: Critical Server-Side Template Injection Vulnerability in EJS Library (v3.1.6)
A critical severity vulnerability (CVE-2022-29078) has been identified in the ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js. The vulnerability allows for server-side template injection via the `settings[view options][outputFunctionName]` parameter. This input is incorrectly parsed as an internal option, enabling an attacker to overwrite the `outputFunctionName` option with an arbitrary operating system command. The injected command is then executed during the template compilation process. The vulnerability has a CVSS score of 9.8, indicating critical severity. The vulnerable library was detected in the dependency chain of a project, specifically within `ejs-0.8.8.tgz`, which is a dependency of `ejs-locals-1.0.2.tgz`. The issue was published on April 25, 2022. The suggested fix is to upgrade the ejs package to version 3.1.7 or later, which addresses the security flaw. This vulnerability poses a significant risk of remote code execution on affected servers.
---
- **Source**: 
- **Sector**: The Network
- **Tags**: node.js, javascript, vulnerability, security
- **Credibility**: unverified
- **Published**: 2026-03-05 10:27:03
- **ID**: 1771
- **URL**: https://whisperx.ai/en/intel/1771