CVE-2022-29078: Critical Server-Side Template Injection Vulnerability in EJS Library (v3.1.6)

A critical severity vulnerability (CVE-2022-29078) has been identified in the ejs (Embedded JavaScript templates) package version 3.1.6 for Node.js. The vulnerability allows for server-side template injection via the `settings[view options][outputFunctionName]` parameter. This input is incorrectly parsed as an internal option, enabling an attacker to overwrite the `outputFunctionName` option with an arbitrary operating system command. The injected command is then executed during the template compilation process. The vulnerability has a CVSS score of 9.8, indicating critical severity. The vulnerable library was detected in the dependency chain of a project, specifically within `ejs-0.8.8.tgz`, which is a dependency of `ejs-locals-1.0.2.tgz`. The issue was published on April 25, 2022. The suggested fix is to upgrade the ejs package to version 3.1.7 or later, which addresses the security flaw. This vulnerability poses a significant risk of remote code execution on affected servers.