Cyber Resilience

CVE-2023-29827

CriticalPublic PoC

Published: 04 May 2023

Published
04 May 2023
Modified
03 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6627 98.6th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29827 is a critical-severity Injection (CWE-74) vulnerability in Ejs Ejs. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

ejs version 3.1.9 contains a server-side template injection flaw tracked as CVE-2023-29827 and assigned CWE-74. The issue arises when an attacker can control the EJS template file and supply a malicious closeDelimiter setting, allowing arbitrary template directives to be processed during rendering. The vulnerability received a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker who can influence the template source can leverage the flaw to execute arbitrary code or access sensitive data on the server. Exploitation requires that the application passes attacker-controlled content to the EJS render function, which the vendor states is outside the intended use of the library.

Vendor documentation in the referenced GitHub SECURITY.md file and issue 720 explicitly classifies this class of input as out of scope, noting that the render API is not designed to accept untrusted templates and that applications must sanitize or restrict template sources themselves.

EPSS for the CVE rose from lower values to a peak of 0.8540 on 2026-02-03 before receding to the current score of 0.6627, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not…

more

intended to be used with untrusted input.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ejs
ejs
≥ 3.1.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References