Unintended Require in larvitbase-www

Severity:: Medium

Description

All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.

Recommendation

No fix is available yet. Followings are affected versions:

>= 0.0.0

References

GHSA-88h9-fc6v-jcw7
hackerone.com
www.npmjs.com

Related Issues

Expo SDK has an OAuth vulnerability - CVE-2023-28131
tRPC 11 WebSocket DoS Vulnerability - CVE-2025-43855
@rpldy/uploader prototype pollution - CVE-2024-57082
Signature Malleabillity in elliptic - CVE-2020-13822

Tags:: npm; larvitbase-www

Anything's wrong? Let us know Last updated on January 09, 2023