react-scripts 5 is using EJS as a dependency, which has "Server side template injection high CVE in ejs@3.1.9"

[sonu-jmh]

• React-scripts 5 is using ejs@3.1.9 as inner dependency as described at the bottom.
• Ejs@3.1.9 has a critical CVE with severity (9.8)
• How the CVE is going to be solved when the react-scripts is being used?
• Is there any alternative library present that can be used instead of ejs incase the fix for CVE is not available?
• The author of ejs library is not acknowledging the cve and has warned to use the render method to avoid the vulnerability.

Dependency Path:
react-scripts-5.0.1.tgz -> workbox-webpack-plugin-6.5.4.tgz -> workbox-build-6.5.4.tgz ->rollup-plugin-off-main-thread-2.2.3.tgz -> ejs-3.1.9.tgz

[suryaprakash539]

Iam facing the same issue with ejs@3.19. Any ETA when it will be fixed ?

[ninthz]

Iam facing the same issue with ejs@3.19. Any ETA when it will be fixed ?

Me too. any suggest?
😭😭😭

[oylp1988]

Me too. any suggest? +1

[austinhoang221]

Still not being fixed?

[sertechside]

Hi Team, this is open now for 1 year, when react-script* update with fixes also will be available?
thank you, kind regards.

note - CVE-2024-33883:
react-scripts-5.1.0-next.14.tgz ->workbox-webpack-plugin-6.6.60.tgz-workbox-build-6.6.0.tgs -> rollup-plugin-off-main-thread-2.2.3.tgx-ejs3.1.9