Description
Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.
Recommendation
Update the larvitbase-api package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.5.5
- Patched version(s): 0.5.5
References
- GHSA-xf27-jqwv-gf3r
- hackerone.com
- www.npmjs.com
- CVE-2019-5479
- CWE-829
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- tRPC 11 WebSocket DoS Vulnerability - CVE-2025-43855
- DocsGPT Allows Remote Code Execution - CVE-2025-0868
- Signature Malleabillity in elliptic - CVE-2020-13822
- Joplin Vulnerable to Code Injection - CVE-2022-23340
- Tags:
- npm
- larvitbase-api
Anything's wrong? Let us know Last updated on September 11, 2023