squirrelly is vulnerable to Code Injection
81
High Risk
The template compiler in compile-string.ts embeds the defaultFilter configuration option directly into the generated JavaScript function source without escaping. When an application forwards attacker-controlled data into the Squirrelly render options, a crafted defaultFilter value breaks out of the generated string literal and injects arbitrary code that runs while the template is compiled and rendered. This results in remote code execution in the Node.js process. The fix serializes the filter name with JSON.stringify before embedding it so the value is treated as data rather than code.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input into the Squirrelly configuration options (for example forwarding request data as render options).
squirrelly is vulnerable to Code Injection in versions 8.0.0 - 9.1.0.
Upgrade the squirrelly library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant