## CVE-2017-1000189: High-Severity DoS Vulnerability in Legacy EJS Templating Engine
A high-severity denial-of-service (DoS) vulnerability, tracked as CVE-2017-1000189, persists in legacy versions of the EJS (Embedded JavaScript templates) library for Node.js. The flaw, with a CVSS score of 7.5, stems from weak input validation within the `ejs.renderFile()` function. This vulnerability specifically affects all versions of EJS older than 2.5.5, leaving projects dependent on outdated packages like `ejs-0.8.8.tgz` exposed to potential service disruption attacks.

The vulnerability's impact is amplified by its presence in nested dependency chains, making it a hidden risk. In the reported instance, the vulnerable `ejs-0.8.8.tgz` library is not a direct project dependency but is pulled in indirectly by the root library `ejs-locals-1.0.2.tgz`. This creates a supply chain security blind spot, as developers may be unaware of the outdated and vulnerable component buried within their `node_modules`. The flaw was publicly disclosed in November 2017, indicating that projects still using these versions have been operating with a known critical weakness for years.

The primary mitigation is a straightforward version upgrade to EJS 2.5.5 or later. However, the persistence of this vulnerability highlights broader issues in software maintenance and dependency management. Organizations relying on legacy or infrequently updated packages, particularly within complex dependency trees, face ongoing risks. This case serves as a pointed reminder of the necessity for continuous vulnerability scanning and proactive dependency updates to secure the software supply chain against known, exploitable weaknesses.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2017-1000189, Node.js, Supply Chain Security, Denial-of-Service, Legacy Software
- **Credibility**: unverified
- **Published**: 2026-03-29 05:27:06
- **ID**: 39646
- **URL**: https://whisperx.ai/en/intel/39646