Description
All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 0.0.0
References
Related Issues
- Unintended Require in larvitbase-api - CVE-2019-5479
- Arbitrary Code Execution in require-node - Vulnerability
- jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- larvitbase-www
Anything's wrong? Let us know Last updated on January 09, 2023