Finding RCE in NodeJS templating engine ‘Eta’ - CVE-2022-25967
This write-up analyzes CVE-2022-25967, an RCE in the Eta Node.js templating engine caused by unsafe propagation of Express render options into Eta’s template compilation config. Eta’s file handling lets attacker-controlled settings['view options'] overwrite fields such as varName, include, includeFile, and useWith, and compileToString() then interpolates those values directly into generated JavaScript for the template function. By setting varName to an expression like process.mainModule.require('child_process').execSync(...), an attacker can get arbitrary code execution when a template is rendered. Exploitation requires either user-controlled data reaching the Express settings object or a server-side prototype pollution primitive, making this a useful real-world example of a templating-engine gadget chain rather than a purely theoretical bug.