Description
All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 0.0.0
References
Related Issues
- Unintended Require in larvitbase-api - CVE-2019-5479
- Arbitrary Code Execution in require-node - Vulnerability
- CamoFox MCP: Unauthenticated HTTP MCP browser-control surface - Vulnerability
- Incorrect default cookie name and recommendation - Vulnerability
You might also like:
- Tags:
- npm
- larvitbase-www
Anything's wrong? Let us know Last updated on January 09, 2023