GMS-2020-341: Unintended Require in larvitbase-www

September 3, 2020

All versions of larvitbase-www are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running. No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-88h9-fc6v-jcw7
hackerone.com/reports/526258
www.npmjs.com/advisories/1156

Detect and mitigate GMS-2020-341 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →