What is CVE-2022-29078?

CVE-2022-29078 is a vulnerability in N/a. Published 2022-04-25.

Is CVE-2022-29078 known to be exploited?

52 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2022-29078

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option w…

EPSS: 0.935 (99.8th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

miko550/CVE-2022-29078
l0n3m4n/CVE-2022-29078
seal-sec-demo-2/npm-demo
amusedx/CVE-2022-29078
chuckdu21/CVE-2022-29078
shurochka1396/expluatation_CVE-2022-29078
HotDB-Community/HotDB-Engine
NaInSec/CVE-PoC-in-GitHub
NketiahGodfred/EJS-ssti-exploit
SYRTI/POC_

References

github.com/mde/ejs/releases (x_refsource_MISC)
eslam.io/posts/ejs-server-side-template-injection-rce/ (x_refsource_MISC)
security.netapp.com/advisory/ntap-20220804-0001/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2022-29078?: CVE-2022-29078 is a vulnerability in N/a. Published 2022-04-25.
Is CVE-2022-29078 known to be exploited?: 52 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.