Description
Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.
Recommendation
Update the larvitbase-api package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.5.5
- Patched version(s): 0.5.5
References
- GHSA-xf27-jqwv-gf3r
- hackerone.com
- www.npmjs.com
- CVE-2019-5479
- CWE-829
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Expo SDK has an OAuth vulnerability - CVE-2023-28131
- tRPC 11 WebSocket DoS Vulnerability - CVE-2025-43855
- @rpldy/uploader prototype pollution - CVE-2024-57082
- Signature Malleabillity in elliptic - CVE-2020-13822
- Tags:
- npm
- larvitbase-api
Anything's wrong? Let us know Last updated on September 11, 2023