Skip to content

fix: Remediate CVE-2024-33883 — upgrade ejs to 3.1.10#44

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782305817-fix-cve-2024-33883-ejs
Open

fix: Remediate CVE-2024-33883 — upgrade ejs to 3.1.10#44
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782305817-fix-cve-2024-33883-ejs

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Remediates CVE-2024-33883 (HIGH) — ejs versions prior to 3.1.10 are vulnerable to template injection due to insufficient input sanitization. The ejs package was pinned at 1.0.0.

Changes:

  • ejs upgraded from 1.0.03.1.10
  • Removed deprecated ejs-locals@1.0.2 (incompatible with ejs 3.x)
  • Added express-ejs-layouts@^2.5.1 as a maintained drop-in replacement for layout support
# app.js
- var ejsEngine = require('ejs-locals');
+ var expressLayouts = require('express-ejs-layouts');
- app.engine('ejs', ejsEngine);
+ app.use(expressLayouts);

layout.ejs remains unchanged — express-ejs-layouts uses the same <%- body %> convention. The <% layout('layout') -%> calls (ejs-locals API) were removed from index.ejs, edit.ejs, and admin.ejs since express-ejs-layouts applies the layout automatically via middleware.

Context: Part of Aviva Canada's Tower 3 Vulnerability Management pipeline. CVE identified by Tenable scanning, classified as off-EBR critical track.

Link to Devin session: https://app.devin.ai/sessions/4e8cce61f4aa43ec8eb5d7b3d1979bbf
Requested by: @iancmoritz


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

- Upgrade ejs dependency from 1.0.0 to 3.1.10 to fix template injection vulnerability
- Remove deprecated ejs-locals (1.0.2), incompatible with ejs 3.x
- Add express-ejs-layouts (^2.5.1) as a maintained replacement for layout support
- Update app.js to use express-ejs-layouts middleware instead of ejs-locals engine
- Remove ejs-locals-specific layout() calls from view templates (index, edit, admin)

Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@devin-ai-integration

Copy link
Copy Markdown
Author

CVE-2024-33883 Remediation Summary

Vulnerability: ejs < 3.1.10 is vulnerable to template injection due to insufficient input sanitization.
Severity: HIGH
Source: Tenable scan — Aviva Canada Tower 3 Vulnerability Management pipeline (off-EBR critical track)

What changed

Package Before After
ejs 1.0.0 3.1.10
ejs-locals 1.0.2 removed (deprecated, incompatible with ejs 3.x)
express-ejs-layouts ^2.5.1 (maintained replacement)

Why

  • ejs-locals has not been maintained since 2013 and does not support ejs 3.x
  • express-ejs-layouts provides the same layout functionality (<%- body %> convention) via Express middleware, making it a drop-in replacement
  • View templates (index.ejs, edit.ejs, admin.ejs) had their <% layout('layout') -%> calls removed since express-ejs-layouts applies layouts automatically
  • layout.ejs required no changes — both libraries use the same <%- body %> placeholder

CI Note

The build job failure is preexisting — it's caused by a missing SNYK_TOKEN secret and deprecated CodeQL v1/v2 actions in the workflow files, unrelated to this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants