CVE-2023-29827: 
Linux Debian vulnerability analysis and mitigation

EJS version 3.1.9 was reported to be vulnerable to server-side template injection through the configuration settings of the closeDelimiter parameter when the EJS file is controllable. This vulnerability is identified as CVE-2023-29827. However, this vulnerability is disputed by the vendor because the render function is not intended to be used with untrusted input (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')). The issue specifically involves the potential for template injection through manipulation of the closeDelimiter parameter in the configuration settings (NVD).

If successfully exploited, this vulnerability could allow an attacker to perform server-side template injection when the EJS file is controllable. This could potentially lead to code execution on the affected system (GitHub Issue).

The vendor has clarified that this is considered out-of-scope as the EJS render method should not be used with untrusted input. According to the security policy, giving end-users unfettered access to the EJS render method is considered an inherently insecure way of using EJS. Users should implement proper input validation before passing data to the render method (Security Policy).