Cyber Resilience

CVE-2022-25967

HighRCE

Published: 30 January 2023

Published
30 January 2023
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1902 95.5th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25967 is a high-severity Code Injection (CWE-94) vulnerability in Eta.Js Eta. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-25967 affects versions of the eta templating package prior to 2.0.0. It permits remote code execution when template engine configuration variables can be overwritten by view options supplied through the Express render API, but only in cases where templates are rendered using user-defined data. The issue is tracked under CWE-94 and carries a CVSS 3.1 score of 8.1.

An attacker who can influence the data passed to Express rendering calls can supply crafted view options that alter eta internals, resulting in arbitrary code execution on the server with impacts to confidentiality, integrity, and availability.

References including the Snyk advisory and the eta repository commit 5651392 show that the flaw is addressed by the 2.0.0 release, with changes to compile-string.ts and file-handlers.ts that prevent configuration variables from being overwritten by untrusted input.

The EPSS score sits at a current and peak value of 0.1902 with no material rise after disclosure.

EU & UK References

Vulnerability details

Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API. **Note:** This is exploitable only for users who are rendering templates…

more

with user-defined data.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eta.js
eta
≤ 2.0.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References