Home > Vulnerability Database > CVE-2022-25967

Mend.io Vulnerability Database

CVE-2022-25967

Good to know:

Date: January 30, 2023

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates with user-defined data.

Language: JS

Severity Score

8.8

Related Resources (5)

Url: https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/compile-string.ts%23L21

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-25967

Url: https://github.com/eta-dev/eta/blob/9c8e4263d3a559444a3881a85c1607bf344d0b28/src/file-handlers.ts%23L182

Url: https://github.com/eta-dev/eta/commit/5651392462ee0ff19d77c8481081a99e5b9138dd

Url: https://www.mend.io/vulnerability-database/CVE-2022-25967

Severity Score

8.8

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version eta - 2.0.0

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-25967

Good to know:

Date: January 30, 2023

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?