CVE-2019-5479
First published: Tue Sep 03 2019(Updated: )
Versions of `larvitbase-api` prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an `require()` call. This allows attackers to execute any `.js` file in the same folder as the server is running. ## Recommendation Upgrade to version 0.5.4 or later.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/larvitbase-api | <0.5.5 | 0.5.5 |
| Larvit Larvitbase | <0.5.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-5479?
CVE-2019-5479 is a vulnerability in larvitbase-api versions prior to 0.5.4 that allows an attacker to execute arbitrary .js files in the same folder as the server.
How can an attacker exploit CVE-2019-5479?
An attacker can exploit CVE-2019-5479 by passing a unsanitized GET parameter to a require() call in the larvitbase-api API endpoint.
What is the severity of CVE-2019-5479?
CVE-2019-5479 has a severity rating of 7.5 (high).
How can I fix CVE-2019-5479?
To fix CVE-2019-5479, update larvitbase-api to version 0.5.5 or higher.
Where can I find more information about CVE-2019-5479?
You can find more information about CVE-2019-5479 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-5479), [HackerOne](https://hackerone.com/reports/566056), [npm](https://www.npmjs.com/advisories/1120).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-cve
- collector/nvd-index
- vendor/larvit
- canonical/larvit larvitbase