CVE-2023-29827
Published: 04 May 2023
Summary
CVE-2023-29827 is a critical-severity Injection (CWE-74) vulnerability in Ejs Ejs. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
ejs version 3.1.9 contains a server-side template injection flaw tracked as CVE-2023-29827 and assigned CWE-74. The issue arises when an attacker can control the EJS template file and supply a malicious closeDelimiter setting, allowing arbitrary template directives to be processed during rendering. The vulnerability received a CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker who can influence the template source can leverage the flaw to execute arbitrary code or access sensitive data on the server. Exploitation requires that the application passes attacker-controlled content to the EJS render function, which the vendor states is outside the intended use of the library.
Vendor documentation in the referenced GitHub SECURITY.md file and issue 720 explicitly classifies this class of input as out of scope, noting that the render API is not designed to accept untrusted templates and that applications must sanitize or restrict template sources themselves.
EPSS for the CVE rose from lower values to a peak of 0.8540 on 2026-02-03 before receding to the current score of 0.6627, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33364
Vulnerability details
ejs v3.1.9 is vulnerable to server-side template injection. If the ejs file is controllable, template injection can be implemented through the configuration settings of the closeDelimiter parameter. NOTE: this is disputed by the vendor because the render function is not…
more
intended to be used with untrusted input.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.