High severityNVD Advisory· Published May 14, 2021· Updated Aug 3, 2024
Remote code execution in squirrelly
CVE-2021-32819
Description
Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
squirrellynpm | < 9.0.0 | 9.0.0 |
Affected products
1- Range: 9.0.0
Patches
2c12418a026f7Don't merge data.settings into the config option
1 file changed · +0 −13
src/file-handlers.ts+0 −13 modified@@ -18,9 +18,6 @@ interface FileOptions extends SqrlConfig { } interface DataObj { - settings?: { - [key: string]: any - } [key: string]: any } @@ -114,16 +111,6 @@ function renderFile (filename: string, data: DataObj, cb?: CallbackFn) { var Config: FileOptions = getConfig((data as PartialConfig)) as FileOptions // TODO: make sure above doesn't error. We do set filename down below - if (data.settings) { - // Pull a few things from known locations - if (data.settings.views) { - Config.views = data.settings.views - } - if (data.settings['view cache']) { - Config.cache = true - } - } - Config.filename = filename // Make sure filename is right return tryHandleCache(Config, data, cb as CallbackFn)
dca7a1e7ee91don't pass view options
1 file changed · +1 −9
src/file-handlers.ts+1 −9 modified@@ -4,7 +4,7 @@ import SqrlErr from './err' import compile from './compile' import { getConfig } from './config' import { getPath, readFile, loadFile } from './file-utils' -import { promiseImpl, copyProps } from './utils' +import { promiseImpl } from './utils' /* TYPES */ @@ -34,7 +34,6 @@ interface DataObj { * `options.filename` so it must be set prior to calling this function. * * @param {Options} options compilation options - * @param {String} [template] template source * @return {(TemplateFunction|ClientFunction)} * Depending on the value of `options.client`, either type might be returned. * @static @@ -123,13 +122,6 @@ function renderFile (filename: string, data: DataObj, cb?: CallbackFn) { if (data.settings['view cache']) { Config.cache = true } - // Undocumented after Express 2, but still usable, esp. for - // items that are unsafe to be passed along with data, like `root` - var viewOpts = data.settings['view options'] - - if (viewOpts) { - copyProps(Config, viewOpts) - } } Config.filename = filename // Make sure filename is right
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q8j6-pwqx-pm96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32819ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-023-squirrellyghsaADVISORY
- github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1eghsaWEB
- github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9daghsaWEB
- github.com/squirrellyjs/squirrelly/pull/254ghsaWEB
- securitylab.github.com/advisories/GHSL-2021-023-squirrelly/mitre
News mentions
0No linked articles in our index yet.