Skip to content

[Aikido] Fix security issue in ejs via minor version upgrade from 3.1.6 to 3.1.10 in packages#26

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-55452580-ruvd
Open

[Aikido] Fix security issue in ejs via minor version upgrade from 3.1.6 to 3.1.10 in packages#26
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-55452580-ruvd

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade ejs to fix critical server-side template injection (RCE) and prototype pollution vulnerabilities.

✅ There are no breaking changes

✅ 2 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2022-29078
🚨 CRITICAL
[ejs] Server-side template injection vulnerability in view options allows attackers to overwrite the outputFunctionName setting with arbitrary OS commands that execute during template compilation, leading to remote code execution.
CVE-2024-33883
MEDIUM
[ejs] The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jun 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 Open source vulnerabilities detected - high severity
Aikido detected 5 vulnerabilities across 1 package, it includes 1 high and 4 medium vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants