CVE-2022-25967
Eta vulnerable to Code Injection via templates rendered with user-defined data
8.8
HIGH
CVSS 3.1
EPSS 19.0%
Description
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.
How to fix CVE-2022-25967
To remediate CVE-2022-25967, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.0 or later
Is CVE-2022-25967 being exploited?
Moderate — EPSS is 19.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |