PT-2023-12842 · Eta · Eta

Rayhan Ahmed Niloy

Published

2023-01-30

Updated

2025-03-27

CVE-2022-25967

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions eta versions prior to 2.0.0

Description The issue allows for Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. This is exploitable only for users who are rendering templates with user-defined data.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the rendering of templates with user-defined data until a patch is available.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2022-25967

GHSA-MF6X-HRGR-658F

Affected Products

Eta

PT-2023-12842 · Eta · Eta

CVE-2022-25967

Weakness Enumeration

Related Identifiers

Affected Products

References · 10