Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EJS security vulnerability #323

Closed
crazyair opened this issue Dec 1, 2017 · 8 comments
Closed

EJS security vulnerability #323

crazyair opened this issue Dec 1, 2017 · 8 comments

Comments

@crazyair
Copy link

crazyair commented Dec 1, 2017
edited
Loading

image
@mde
Copy link
Owner

mde commented Dec 1, 2017

Could you provide me with a little more context here?

@Boydbueno
Copy link

Boydbueno commented Dec 1, 2017
edited
Loading

https://nvd.nist.gov/vuln/detail/CVE-2017-1000188

nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scripting in the ejs.renderFile() resulting in code injection

@RyanZim
Copy link
Collaborator

RyanZim commented Dec 1, 2017

Wow, wasn't aware there was a CVE for this. @qq645381995 You need to upgrade to the latest version of EJS.

@mde Shouldn't we deprecate all the older versions?

@RyanZim RyanZim changed the title What's the problem EJS security vulnerability Dec 1, 2017
@mde
Copy link
Owner

mde commented Dec 1, 2017

There's not a great way to prevent people from using older versions, unless we un-publish from NPM, which could cause even worse problems (c.f., "left pad").

@RyanZim
Copy link
Collaborator

RyanZim commented Dec 1, 2017
edited
Loading

@mde I was referring to npm deprecate. That way they get a warning in the console on installation.

@mde
Copy link
Owner

mde commented Dec 2, 2017

Oh, nice. I haven't used that. (What version of NPM added that? :)) I'll add a deprecation ASAP.

@RyanZim
Copy link
Collaborator

RyanZim commented Dec 2, 2017

@mde I don't remember hearing about it being added, so I don't know if it existed ever since I was in the Node world, or if I just never heard any fanfare.

@mde
Copy link
Owner

mde commented Jan 3, 2018

Deprecated all versions < 2.5.5.

screen shot 2018-01-02 at 4 20 23 pm

@mde mde closed this as completed Jan 3, 2018
mef added a commit to mef/hexo-generator-seo-friendly-sitemap that referenced this issue May 6, 2018
@mef
updated ejs dependency to non-vulnerable version
59da7a6 
cf. mde/ejs#323
@mef mef mentioned this issue May 6, 2018
Closed
@tr90814 tr90814 mentioned this issue Jun 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mde @Boydbueno @crazyair @RyanZim