Finding RCE in NodeJS templating engine 'Eta' - CVE-2022-25967
In preparation for the HTB University CTF 2021 Finals, my colleagues and I at Hack The Box discovered a Remote Code Execution vulnerability in the Node.js templating engine ‘Eta’. The vulnerability was reported via Snyk and assigned CVE-2022-25967. This blog post covers a short technical write-up of this vulnerability.