skip to content
Back to
Home Research Advisories CodeQL Wall of Fame Get Involved Events
May 4, 2021

GHSL-2021-032: Template object injection in Mailtrain - CVE-2021-27136

Agustin Gianni

Coordinated Disclosure Timeline


Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).



Tested Version

Master branch at commit 281072ac1bb43d539f6dd13ceed6390a8581c248.


Template object injection

Passing attacker supplied objects to the res.render method leads to several security problems such as XSS and file disclosure as demonstrated in the proofs of concepts. The way in which this exploit works is by overwriting internal configuration variables of the rendering engine such as settings.views, with attacker supplied values (in this PoC we have used req.query but any source of data can be used).

There is a non trivial amount of places in which user influenced objects land in a call to res.render. We have used CodeQL to identify potential places that need attention.

From the results of the query we have selected /routes/lists.js to illustrate the issue but there are more cases that behave similarly:

router.get('/create', passport.csrfProtection, (req, res) => {
    let data = tools.convertKeys(req.query, {
        skip: ['layout']

    data.csrfToken = req.csrfToken();

    if (!('publicSubscribe' in data)) {
        data.publicSubscribe = true;

    data.unsubscriptionModeOptions = getUnsubscriptionModeOptions(data.unsubscriptionMode || lists.UnsubscriptionMode.ONE_STEP);

    res.render('lists/create', data);

In the above code we can see that the object data is populated with content coming from the req.query objects which is in turn parsed from the URL. This allow an attacker to craft complex objects that will be supplied to the rendering engine.

XSS Proof of Concept.

An authenticated user can be tricked to open the following URL that will execute arbitrary JavaScript code in the context of the user.


File disclosure

An authenticated user can disclose the content of arbitrary files in the system. The following URL will show the contents of the file /app/setup/mailtrain.conf.



The impact of this vulnerability depends on the underlying template rendering in use. We have verified that XSS and file disclosure are possible but remote code execution cannot be completely discarded.




This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).


You can contact the GHSL team at, please include a reference to GHSL-2021-032 in any communication regarding this issue.