Set EJS as templating engine with Express which is a Node.js web application server framework.
Ref: The EJS don’t allow ‘cache’ option to be passed in the data obj for the normal
render call, but this is where Express 2 & 3 put it so we make an exception for
renderFile. So in the case of express view options ejs will copy everything into the options without restrictions.
Remedy: Ejs has issued a fix to prevent injecting any code in the options especially opts.outputFunctionName. For user who is going to fix the problem. You can upgrade to v3.1.7.
Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2022-29078