Critical 9.8 CVSS Vulnerabilities Found in EJS 2.7.4, Autoclosed Issue Raises Supply Chain Risk

A GitHub security scan has flagged the npm package `ejs-2.7.4.tgz` with three vulnerabilities, including two rated with a critical CVSS score of 9.8. The findings, which were automatically closed, highlight a severe and persistent risk for any project still dependent on this outdated version of the popular Embedded JavaScript templating library. The most severe flaw, CVE-2022-29078, carries an Exploit Prediction Scoring System (EPSS) probability of 93.5%, indicating a high likelihood of active exploitation. A second critical vulnerability, WS-2021-0153, and a medium-severity issue, CVE-2024-33883, complete the trio of security gaps present in this direct dependency.

The vulnerabilities are rooted in the library's code and have known fixes available in newer versions. The critical CVE-2022-29078 is remediated in ejs v3.1.7, while WS-2021-0153 is fixed in version 3.1.6. Despite the availability of patches, the discovery of these flaws in a live dependency file (`/package.json`) points to a potentially widespread exposure. The automatic closure of the issue, without explicit confirmation of remediation, could signal a dangerous oversight in the project's security posture, leaving it vulnerable to remote code execution or other attacks.

This case underscores the silent, cascading risk within software supply chains. Countless applications and services rely on EJS for server-side rendering, making this a systemic threat. The high EPSS score for CVE-2022-29078 suggests that malicious actors are likely scanning for and targeting this specific weakness. Organizations and developers must audit their dependencies immediately, verify that the issue was closed only after an upgrade to a patched version, and reassess their vulnerability management workflows to prevent critical alerts from being dismissed without action.