Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-32819

HIGH
Published 2021-05-14T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-32819. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
8.0
/10
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.889
probability
of exploitation in the wild

There is a 88.9% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.995
Higher than 99.5% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Description

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. This issue is fixed in version 9.0.0. For complete details refer to the referenced GHSL-2021-023.

Available Exploits

Nodejs Squirrelly - Remote Code Execution

Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.

ID: CVE-2021-32819
Author: pikpikcu High

References:

Related News

No news articles found for this CVE.

Affected Products

squirrellyjs

squirrelly

Affected Versions:

9.0.0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Insecure template handling in Squirrelly

GHSA-q8j6-pwqx-pm96

Advisory Details

Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. Version 9.0.0 has a fix for this issue. For complete details refer to the referenced [GHSL-2021-023](https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/).

Affected Packages

npm squirrelly
ECOSYSTEM: ≥0 <9.0.0

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-32819
WEB https://github.com/squirrellyjs/squirrelly/pull/254
WEB https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e
WEB https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da
PACKAGE https://github.com/squirrellyjs/squirrelly
ADVISORY https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly

Advisory provided by GitHub Security Advisory Database. Published: May 17, 2021, Modified: September 11, 2023

References

https://securitylab.github.com/advisories/GHSL-2021-023-squirrelly/
https://github.com/squirrellyjs/squirrelly/pull/254
https://github.com/squirrellyjs/squirrelly/commit/c12418a026f73df645ba927fd29358efe02fed1e
https://github.com/squirrellyjs/squirrelly/commit/dca7a1e7ee91d8a6ffffb655f3f15647486db9da
Published: 2021-05-14T00:00:00
Last Modified: 2024-08-03T23:33:55.878Z
Copied to clipboard!