First published: Tue Sep 03 2019(Updated: )
Versions of `larvitbase-api` prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an `require()` call. This allows attackers to execute any `.js` file in the same folder as the server is running. ## Recommendation Upgrade to version 0.5.4 or later.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
npm/larvitbase-api | <0.5.5 | 0.5.5 |
Larvit Larvitbase | <0.5.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5479 is a vulnerability in larvitbase-api versions prior to 0.5.4 that allows an attacker to execute arbitrary .js files in the same folder as the server.
An attacker can exploit CVE-2019-5479 by passing a unsanitized GET parameter to a require() call in the larvitbase-api API endpoint.
CVE-2019-5479 has a severity rating of 7.5 (high).
To fix CVE-2019-5479, update larvitbase-api to version 0.5.5 or higher.
You can find more information about CVE-2019-5479 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-5479), [HackerOne](https://hackerone.com/reports/566056), [npm](https://www.npmjs.com/advisories/1120).