Platform
nodejs
Component
@blakeembrey/template
Opgelost in
1.2.1
1.2.0
CVE-2024-45390 describes a code injection vulnerability discovered in the @blakeembrey/template library for Node.js. An attacker who can write to the template name can inject and execute arbitrary code, potentially leading to complete system compromise. This vulnerability affects versions prior to 1.2.0 and has been resolved with an upgrade to the patched version. A workaround is to avoid using untrusted input as the template display name.
The primary impact of CVE-2024-45390 is the ability for an attacker to execute arbitrary code within the context of the Node.js application using the @blakeembrey/template library. This is achieved by crafting a malicious template name that contains JavaScript code. If the attacker has write access to the template file, they can inject this malicious code, which will then be executed when the template is rendered. This could allow an attacker to steal sensitive data, modify application behavior, or even gain remote control of the server. The provided example demonstrates how a simple template call can be exploited to execute arbitrary code, highlighting the severity of the vulnerability.
CVE-2024-45390 was publicly disclosed on September 3, 2024. There are currently no known active campaigns exploiting this vulnerability, and no public proof-of-concept exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively recent disclosure and the lack of public exploits, the probability of exploitation is considered low to medium.
Applications built with Node.js that utilize the @blakeembrey/template library and allow users to provide input that influences the template name are at risk. This includes applications that dynamically generate templates based on user-supplied data, such as content management systems or web applications with customizable templates. Developers who haven't updated their dependencies are particularly vulnerable.
• nodejs / server:
npm list @blakeembrey/templateCheck the installed version of @blakeembrey/template. If it's less than 1.2.0, the system is vulnerable.
• nodejs / server:
find . -name "template.js" -print0 | xargs -0 grep -i "exploit() {}"Search for suspicious code patterns within template files that might indicate exploitation attempts. • generic web: Review application logs for any unusual activity related to template rendering or file access. Look for errors or unexpected behavior that could indicate an attempted code injection.
disclosure
Exploit Status
EPSS
0.42% (62% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-45390 is to upgrade to version 1.2.0 or later of the @blakeembrey/template library. This version includes a fix that prevents the code injection vulnerability. If upgrading is not immediately feasible, a workaround is to avoid using untrusted input as the template display name. This prevents the attacker from injecting malicious code through the template name. Thorough input validation and sanitization should be implemented to ensure that only trusted data is used in template rendering. After upgrading, confirm the fix by attempting to render a template with a deliberately malicious name and verifying that the code is not executed.
Actualice la biblioteca @blakeembrey/template a la versión 1.2.0 o superior. Esto solucionará la vulnerabilidad de inyección de código. Si no puede actualizar inmediatamente, evite pasar entradas no confiables como nombre de visualización de la plantilla o desactive la función de nombre de visualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-45390 is a code injection vulnerability in the @blakeembrey/template library for Node.js, allowing attackers to execute arbitrary code if they can write to the template name. It has a CVSS score of 7.3 (HIGH).
You are affected if you are using a version of @blakeembrey/template prior to 1.2.0 and allow users to influence the template name.
Upgrade to version 1.2.0 or later of the @blakeembrey/template library. As a workaround, avoid using untrusted input as the template display name.
As of September 2024, there are no known active campaigns or public proof-of-concept exploits for CVE-2024-45390.
Refer to the GitHub commit for the fix: https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.