Homepage
About Snyk

Arbitrary Code Execution Affecting total4 package, versions <0.0.43

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.58% (78th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TOTAL4-1130527
  • published 7 Jul 2021
  • disclosed 24 Mar 2021
  • credit Alessio Della Libera (@d3lla)
Report a new vulnerability Found a mistake?

Introduced: 24 Mar 2021

CVE-2021-23390 Open this link in a new tab
CWE-94 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade total4 to version 0.0.43 or higher.

Overview

total4 is a framework for Node.js platform written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as a web, desktop, service, or IoT application.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

PoC by Alessio Della Libera

const total = require('total4');
U.set({}, 'a;let {mainModule}=process; let {require}=mainModule; let {exec}=require("child_process"); exec("touch HACKED")//');