Description
Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.
Recommendation
Update the larvitbase-api package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.5.5
- Patched version(s): 0.5.5
References
- GHSA-xf27-jqwv-gf3r
- hackerone.com
- www.npmjs.com
- CVE-2019-5479
- CWE-829
- CAPEC-310
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- Unintended Require in larvitbase-www - Vulnerability
- Pedroetb TTS-API OS Command Injection - CVE-2019-25158
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) 2 - CVE-2019-1010266
- Tags:
- npm
- larvitbase-api
Anything's wrong? Let us know Last updated on September 11, 2023