H1514 Server Side Template Injection in Return Magic email templates?

Program: Shopify Bug Type: SSTI Bounty: 10000 Date: 2018-10-13

SSTI RCE supply-chain-vulnerability

Summary

Shopify Return Magic’s workflow email templates may be vulnerable to server-side template injection (SSTI). When inserting {{this}} or related expressions in email templates, the rendered output shows JavaScript objects, indicating server-side template rendering (likely Node.js) with access to internal objects. Exploitability is unclear, but the behavior suggests potential SSTI risk. A similar vulnerability was reported on Shopify's return magic feature using the Smarty template engine. The researcher demonstrated that this could be escalated to a RCE.

This summary was generated by AI

References

https://hackerone.com/reports/423541
https://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html

← Back to Reports