CVE-2017-1000188: Legacy EJS Library ejs-0.8.8.tgz Harbors Persistent XSS Risk, Code Injection Threat

A critical security flaw, designated CVE-2017-1000188, has been identified in the legacy `ejs-0.8.8.tgz` library, exposing dependent applications to cross-site scripting (XSS) and potential code injection attacks. The vulnerability, rated with a medium severity score of 6.1, resides specifically within the `ejs.renderFile()` function of versions older than 2.5.5. This flaw allows attackers to inject and execute arbitrary code, posing a direct threat to application integrity and user data security.

The vulnerability was publicly disclosed in November 2017, yet its detection in a current dependency chain highlights a persistent software supply chain risk. The scan reveals the vulnerable library is nested within the dependency hierarchy of `ejs-locals-1.0.2.tgz`, acting as a root library. This structure indicates that projects relying on `ejs-locals` may inadvertently inherit this outdated and insecure version of the EJS templating engine, creating a hidden attack vector long after the initial patch was available.

The presence of this years-old vulnerability in a modern codebase underscores the challenges of dependency management and the lingering dangers of unmaintained legacy components. It signals significant pressure on development and security teams to conduct thorough audits of their software bill of materials (SBOM). The suggested fix is a straightforward version upgrade to EJS 2.5.5 or later, but the discovery emphasizes that known vulnerabilities can remain dormant in complex dependency trees, requiring continuous vigilance and automated scanning to mitigate.