Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with view options received from The Express render API.
Note: This is exploitable only for users who are rendering templates with user-defined data.