Arbitrary Code Execution
Description
The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
total.js before 3.4.9 allows arbitrary code execution via U.set() and U.get() due to insufficient input sanitization.
Vulnerability
The U.set() and U.get() functions in total.js before version 3.4.9 are vulnerable to arbitrary code execution. The functions dynamically construct and execute code using new Function() without sanitizing user-supplied path arguments, allowing injection of malicious JavaScript. Affected versions: all prior to 3.4.9.
Exploitation
An attacker can pass a crafted path string containing arbitrary JavaScript (e.g., using semicolons and function calls) to U.set() or U.get(). If the application passes user input to these functions, no authentication or special privileges are needed. The PoC from Snyk [3] demonstrates executing exec("touch HACKED") via the path argument.
Impact
Successful exploitation results in arbitrary code execution in the Node.js process context, potentially leading to full system compromise, data exfiltration, or denial of service.
Mitigation
Upgrade to total.js version 3.4.9 or higher, which adds a regex check to block dangerous patterns (__proto__, constructor, prototype, eval, function, etc.) in path arguments [2]. No workaround is available; immediate upgrade is recommended.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.4.9 | 3.4.9 |
Affected products
2- total.js/total.jsdescription
Patches
1887b0fa9e162Fixed security issue in `U.set()` and `U.get()`.
2 files changed · +9 −4
changes.txt+1 −0 modified@@ -4,6 +4,7 @@ - added `insecure` flag into the `U.request()` method - added `RESTBuilder.insecure()` method - fixed security issue when parsing query arguments (reported by <https://github.com/fl4x>) +- fixed security in `U.get()` and `U.set()` (reported by Agustin Gianni) ======= 3.4.8
utils.js+8 −4 modified@@ -6617,12 +6617,16 @@ exports.parseTheme = function(value) { return value === '?' ? CONF.default_theme : value; }; + exports.set = function(obj, path, value) { var cachekey = 'S+' + path; if (F.temporary.other[cachekey]) return F.temporary.other[cachekey](obj, value); + if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path)) + return value; + var arr = parsepath(path); var builder = []; @@ -6636,12 +6640,9 @@ exports.set = function(obj, path, value) { var ispush = v.lastIndexOf('[]') !== -1; var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v'; - if ((/__proto__|constructor|prototype|eval/).test(a)) - throw new Error('Potential vulnerability'); - var fn = new Function('w', 'a', 'b', a); F.temporary.other[cachekey] = fn; - fn(obj, value, path); + return fn(obj, value, path); }; exports.get = function(obj, path) { @@ -6651,6 +6652,9 @@ exports.get = function(obj, path) { if (F.temporary.other[cachekey]) return F.temporary.other[cachekey](obj); + if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path)) + return; + var arr = parsepath(path); var builder = [];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7fm6-gxqg-2pwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23389ghsaADVISORY
- github.com/totaljs/framework/blob/master/utils.js%23L6606-L6631ghsax_refsource_MISCWEB
- github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-TOTALJS-1088607ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.