Cross-site Scripting (XSS) Affecting ejs package, versions <2.5.5

ejs is a popular JavaScript templating engine. Affected versions of the package are vulnerable to Cross-site Scripting by letting the attacker under certain conditions control and override the filename option causing it to render the value as is, without escaping it. You can read more about this vulnerability on the Snyk blog.

There's also a Remote Code Execution & Denial of Service vulnerabilities caused by the same behaviour.

ejs provides a few different options for you to render a template, two being very similar: ejs.render() and ejs.renderFile(). The only difference being that render expects a string to be used for the template and renderFile expects a path to a template file.

Both functions can be invoked in two ways. The first is calling them with template, data, and options:

ejs.render(str, data, options);

ejs.renderFile(filename, data, options, callback)

The second way would be by calling only the template and data, while ejs lets the options be passed as part of the data:

ejs.render(str, dataAndOptions);

ejs.renderFile(filename, dataAndOptions, callback)

If used with a variable list supplied by the user (e.g. by reading it from the URI with qs or equivalent), an attacker can control ejs options. This includes the filename option, which will be rendered as is when an error occurs during rendering.

ejs.renderFile('my-template', {filename:'<script>alert(1)</script>'}, callback);

The fix introduced in version 2.5.3 blacklisted root options from options passed via the data object.

• November 28th, 2016 - Reported the issue to package owner.
• November 28th, 2016 - Issue acknowledged by package owner.
• December 06th, 2016 - Issue fixed and version 2.5.5 released.

• Snyk Blog
• Fix commit