## Critical CVE-2022-29078: Server-Side Template Injection in EJS Library (ejs-2.7.4.tgz) A critical-severity vulnerability, CVE-2022-29078, has been detected in the widely used EJS (Embedded JavaScript templates) library, specifically version 2.7.4. This flaw allows for server-side template injection, enabling an attacker to execute arbitrary operating system commands on the host server. The vulnerability is triggered by manipulating the `settings[view options][outputFunctionName]` option, which the library incorrectly parses as an internal configuration setting. When a malicious payload is supplied, it overwrites the `outputFunctionName` and is executed during the template compilation process, granting potential remote code execution. The vulnerable package, `ejs-2.7.4.tgz`, is a core dependency for countless Node.js applications, making its exposure significant. The issue was formally published on April 25, 2022, indicating it has been a known risk in the ecosystem for an extended period. Its detection in a project's dependency hierarchy, as shown in the `/node_modules/ejs/package.json` path, signals an immediate and unresolved security debt. The flaw's critical rating stems from the direct path it provides from user input to system-level command execution, bypassing standard application security layers. This vulnerability places any application using the unpatched EJS version at severe risk of compromise. Developers and security teams must urgently audit their `package.json` files and dependency trees to identify and upgrade any instances of EJS prior to version 3.1.7, where the issue was patched. The persistence of this old but critical CVE in active projects highlights ongoing challenges in dependency management and the cascading security risks inherent in the open-source software supply chain. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2022-29078, Node.js, Server-Side Template Injection, Remote Code Execution, Supply Chain Security - **Credibility**: unverified - **Published**: 2026-03-31 06:27:07 - **ID**: 42514 - **URL**: https://whisperx.ai/en/intel/42514