CVE-2017-1000188: Legacy EJS Library ejs-0.8.8.tgz Harbors Medium-Severity XSS Vulnerability

A legacy version of the popular Embedded JavaScript templating library, EJS, remains an active security liability in modern software projects. The specific version ejs-0.8.8.tgz, detected as a dependency, contains a documented Cross-Site Scripting (XSS) vulnerability (CVE-2017-1000188) that could lead to remote code injection. This flaw, with a CVSS score of 6.1 (Medium), is exploitable through the `ejs.renderFile()` function, allowing attackers to inject and execute arbitrary JavaScript code in the context of a victim's browser.

The vulnerability is not in a direct project dependency but is nested within the dependency chain, introduced by the library `ejs-locals-1.0.2.tgz`. This pattern highlights a common and persistent risk in software supply chains: outdated, transitive dependencies that developers may not be actively monitoring. The path `/node_modules/ejs-locals/node_modules/ejs/package.json` confirms the vulnerable package is buried within the project's structure, making it less visible during routine audits.

While the CVE was published in November 2017, its detection in current projects signals ongoing exposure. The suggested fix is a straightforward version upgrade to EJS 2.5.5 or later, which patches the vulnerability. However, the persistence of this seven-year-old flaw underscores the challenges of comprehensive dependency management and the latent risks that can reside unnoticed in complex node_modules hierarchies, potentially exposing applications to client-side attacks.