Critical RCE Vulnerability CVE-2017-1000228 Found in Outdated ejs-0.8.8.tgz Package

A critical, remotely exploitable vulnerability has been flagged in a widely used JavaScript templating library, exposing dependent applications to potential code execution attacks. The flaw, tracked as CVE-2017-1000228 with a maximum severity CVSS score of 9.8, resides in versions of the EJS (Embedded JavaScript templates) library older than 2.5.3. The specific detection points to version 0.8.8, a severely outdated release, bundled within the `ejs-locals-1.0.2.tgz` package.

The vulnerability stems from insufficient input validation in the `ejs.renderFile()` function. This weakness allows an attacker to inject and execute arbitrary code on the server where the vulnerable library is running. The detection report shows the vulnerable library nested within a dependency chain, located at `/node_modules/ejs-locals/node_modules/ejs/package.json`. This structure indicates the risk may be inherited by any project depending on the `ejs-locals` package, potentially affecting a wide range of Node.js applications that have not updated their dependencies in years.

Despite being publicly disclosed in November 2017, the presence of this ancient, high-severity flaw in a current codebase signals significant security debt and supply chain risk. Organizations relying on legacy or unmaintained npm packages face immediate pressure to audit their dependency trees. The persistence of such a vulnerability allows attackers to target outdated systems that have not applied the six-year-old patch, turning forgotten dependencies into potent attack vectors for remote compromise.