Remote Code Execution (RCE)
Description
The package total.js before 3.4.8 are vulnerable to Remote Code Execution (RCE) via set.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
total.js framework before 3.4.8 is vulnerable to remote code execution via the `set` method, allowing arbitrary code injection.
Vulnerability
Details
The U.set() method in total.js (a Node.js framework) is vulnerable to remote code execution (RCE) due to insufficient input sanitization. The method constructs a JavaScript code string from user-supplied path and value parameters and executes it via new Function(). The original code only blocked prototype pollution keywords (__proto__, constructor, prototype) but did not block eval, allowing an attacker to inject arbitrary JavaScript code into the executed string [1][2][3].
Exploitation
An attacker can exploit this by passing a crafted path argument containing JavaScript code, such as 'a;eval(require("child_process").execSync("touch pwned"))//', to the set method. This results in the execution of arbitrary commands on the server. The proof-of-concept provided by Snyk demonstrates how to achieve RCE without authentication, assuming the application passes user-controlled input to the set function [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server with the privileges of the Node.js process. This can lead to full compromise of the application, data exfiltration, or further lateral movement within the infrastructure [1][2].
Mitigation
The vulnerability is fixed in total.js version 3.4.8. The commit [3] adds eval to the blocked keywords in the regular expression check, preventing the injection of eval statements. Users are strongly advised to upgrade to version 3.4.8 or later immediately [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.4.8 | 3.4.8 |
Affected products
2- total.js/total.jsdescription
Patches
1c812bbcab898Fixed potential vulnerability in `U.set()` method.
2 files changed · +3 −2
changes.txt+1 −0 modified@@ -1,6 +1,7 @@ ======= 3.4.9 - fixed measuring dimension for `.gif` images +- fixed potential remote code execution in `U.set()` founded by [Snyk](https://snyk.io/vuln) ======= 3.4.7
utils.js+2 −2 modified@@ -6622,8 +6622,8 @@ exports.set = function(obj, path, value) { var ispush = v.lastIndexOf('[]') !== -1; var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v'; - if ((/__proto__|constructor|prototype/).test(a)) - throw new Error('Prototype pollution'); + if ((/__proto__|constructor|prototype|eval/).test(a)) + throw new Error('Potential vulnerability'); var fn = new Function('w', 'a', 'b', a); F.temporary.other[cachekey] = fn;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3wj8-vp9h-rm6mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23344ghsaADVISORY
- github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-TOTALJS-1077069ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.