CVE-2022-29078: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2022-29078) affects the ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js. The vulnerability was discovered in April 2022 and allows server-side template injection through the settings[view options][outputFunctionName] parameter. This vulnerability enables attackers to execute arbitrary OS commands upon template compilation (NVD, EJS Blog).

The vulnerability exists in the way EJS handles the outputFunctionName option. When processing template options, the library fails to properly validate the outputFunctionName parameter, which is parsed as an internal option. This parameter is directly included in the template's compiled code without proper sanitization, allowing attackers to inject and execute arbitrary code. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Successful exploitation of this vulnerability can lead to multiple severe consequences including disclosure of sensitive information, addition or modification of data, and potential Denial of Service (DoS). Most critically, it allows attackers to execute arbitrary OS commands on the affected system, potentially leading to complete system compromise (NetApp Advisory).

The vulnerability has been fixed in EJS version 3.1.7, released on April 20, 2022. Users are strongly advised to upgrade to this or a later version. The fix includes improved validation of the outputFunctionName parameter to prevent code injection (EJS Releases).