Medium severity6.1NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026
CVE-2017-1000188
CVE-2017-1000188
Description
nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ejsnpm | < 2.5.5 | 2.5.5 |
Affected products
1Patches
149264e0037e3Blacklist a few other unsafe opts from passing in data obj
2 files changed · +25 −7
lib/ejs.js+9 −5 modified@@ -56,6 +56,12 @@ var _REGEX_STRING = '(<%%|%%>|<%=|<%-|<%_|<%#|<%|%>|-%>|_%>)'; var _OPTS = [ 'cache', 'filename', 'delimiter', 'scope', 'context', 'debug', 'compileDebug', 'client', '_with', 'root', 'rmWhitespace', 'strict', 'localsName']; +var _OPTS_IN_DATA_BLACKLIST = { + cache: true, + filename: true, + root: true, + localsName: true + }; var _BOM = /^\uFEFF/; /** @@ -268,11 +274,9 @@ function rethrow(err, str, filename, lineno){ function cpOptsInData(data, opts) { _OPTS.forEach(function (p) { if (typeof data[p] != 'undefined') { - // Disallow setting the root opt for includes via a passed data obj - // Unsanitized, parameterized use of `render` could allow the - // include directory to be reset, opening up the possibility of - // remote code execution - if (p == 'root') { + // Disallow passing potentially dangerous opts in the data + // These opts should not be settable via a `render` call + if (_OPTS_IN_DATA_BLACKLIST[p]) { return; } opts[p] = data[p];
test/ejs.js+16 −2 modified@@ -168,6 +168,21 @@ suite('ejs.compile(str, options)', function () { }); +/* Old API -- remove when this shim goes away */ +suite('ejs.render(str, dataAndOpts)', function () { + test('render the template with data/opts passed together', function () { + assert.equal(ejs.render('<p><?= foo ?></p>', {foo: 'yay', delimiter: '?'}), + '<p>yay</p>'); + }); + + test('disallow unsafe opts passed along in data', function () { + assert.equal(ejs.render('<p><?= locals.foo ?></p>', + // localsName should not get reset because it's blacklisted + {_with: false, foo: 'yay', delimiter: '?', localsName: '_'}), + '<p>yay</p>'); + }); +}); + suite('ejs.render(str, data, opts)', function () { test('render the template', function () { assert.equal(ejs.render('<p>yay</p>'), '<p>yay</p>'); @@ -753,7 +768,6 @@ suite('include()', function () { var viewsPath = path.join(__dirname, 'fixtures'); assert.equal(ejs.render(fixture('include-root.ejs'), {pets: users}, {filename: file, delimiter: '@',root:viewsPath}), fixture('include.html')); - }); test('work when nested', function () { @@ -918,7 +932,7 @@ suite('preprocessor include', function () { var template = fixture('include_preprocessor_line_slurp.ejs'); var expected = fixture('include_preprocessor_line_slurp.html'); var options = {rmWhitespace: true, filename: file}; - assert.equal(ejs.render(template, options), + assert.equal(ejs.render(template, {}, options), expected); });
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8fnvdPatchThird Party AdvisoryWEB
- www.securityfocus.com/bid/101889nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-hwcf-pp87-7x6pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000188ghsaADVISORY
- web.archive.org/web/20200227134555/http://www.securityfocus.com/bid/101889ghsaWEB
News mentions
0No linked articles in our index yet.