react-scripts 5 is using EJS as a dependency, which has "Server side template injection high CVE in ejs@3.1.9"

sonu-jmh commented 1 year ago

React-scripts 5 is using ejs@3.1.9 as inner dependency as described at the bottom.
Ejs@3.1.9 has a critical CVE with severity (9.8)
How the CVE is going to be solved when the react-scripts is being used?
Is there any alternative library present that can be used instead of ejs incase the fix for CVE is not available?
The author of ejs library is not acknowledging the cve and has warned to use the render method to avoid the vulnerability.

Dependency Path: react-scripts-5.0.1.tgz -> workbox-webpack-plugin-6.5.4.tgz -> workbox-build-6.5.4.tgz ->rollup-plugin-off-main-thread-2.2.3.tgz -> ejs-3.1.9.tgz

suryaprakash539 commented 1 year ago

Iam facing the same issue with ejs@3.19. Any ETA when it will be fixed ?

ninthz commented 1 year ago

Iam facing the same issue with ejs@3.19. Any ETA when it will be fixed ?

Me too. any suggest? 😭😭😭

oylp1988 commented 1 year ago

Me too. any suggest? +1

austinhoang221 commented 4 months ago

Still not being fixed?

sertechside commented 4 months ago

Hi Team, this is open now for 1 year, when react-script* update with fixes also will be available?
thank you, kind regards.

note - CVE-2024-33883:
react-scripts-5.1.0-next.14.tgz ->workbox-webpack-plugin-6.6.60.tgz-workbox-build-6.6.0.tgs -> rollup-plugin-off-main-thread-2.2.3.tgx-ejs3.1.9

facebook / create-react-app

react-scripts 5 is using EJS as a dependency, which has "Server side template injection high CVE in ejs@3.1.9" #13180