CVE-2024-45390 Information

Description

@blakeembrey/template is a string template library. Prior to version 1.2.0 it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround don’t pass untrusted input as the template display name or don’t use the display name feature.

Reference

https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa