CVE-2024-45390 HIGH

CVE-2024-45390: @blakeembrey/template vulnerable to code injection when attacker controls template input

Vendor Blakeembrey
Product js-template
Weakness CWE-94 · Code injection
Published September 3, 2024
Last update September 3, 2024

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature.

Key dates

02Disclosure timeline

September 3, 2024 CVE published
September 3, 2024 Record updated