Code injection in total.js
Description
Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Calling utils.set with user-controlled values in Total.js before 3.4.9 allows code injection leading to arbitrary code execution.
Vulnerability
In Total.js framework (npm package total.js) before version 3.4.9, the utils.set function does not properly sanitize user-controlled input, allowing code injection. The function is used to set nested properties on objects. When an attacker can control the key or value, they can inject arbitrary JavaScript code that gets executed. Affected versions: all prior to 3.4.9. [1][4]
Exploitation
An attacker needs to supply a crafted string to the utils.set function, typically via user input that is passed to the framework. No authentication is required if the application exposes this function to untrusted data. The PoC from the advisory shows that calling utils.set({},'a;Function(while(1)1;)();//') causes a denial of service, and utils.set({},'a;Function(require("child_process")\\x2eexecSync("touch GHSL"))();//') executes arbitrary commands. The injection works by breaking out of the property assignment and executing a Function constructor call. [4]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the Node.js process. This can lead to full remote code execution (RCE), including file system access, data exfiltration, and further compromise of the server. The impact is critical as it can result in complete loss of confidentiality, integrity, and availability. [1][4]
Mitigation
The vulnerability is fixed in Total.js version 3.4.9, released on or before 2021-08-30. Users should upgrade to version 3.4.9 or later. No workarounds are documented. The advisory notes that the maintainers did not acknowledge the report within the disclosure timeline, but the fix was eventually applied. [1][3][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
total.jsnpm | < 3.4.9 | 3.4.9 |
Affected products
2- totaljs/frameworkv5Range: < 3.4.9
Patches
1887b0fa9e162Fixed security issue in `U.set()` and `U.get()`.
2 files changed · +9 −4
changes.txt+1 −0 modified@@ -4,6 +4,7 @@ - added `insecure` flag into the `U.request()` method - added `RESTBuilder.insecure()` method - fixed security issue when parsing query arguments (reported by <https://github.com/fl4x>) +- fixed security in `U.get()` and `U.set()` (reported by Agustin Gianni) ======= 3.4.8
utils.js+8 −4 modified@@ -6617,12 +6617,16 @@ exports.parseTheme = function(value) { return value === '?' ? CONF.default_theme : value; }; + exports.set = function(obj, path, value) { var cachekey = 'S+' + path; if (F.temporary.other[cachekey]) return F.temporary.other[cachekey](obj, value); + if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path)) + return value; + var arr = parsepath(path); var builder = []; @@ -6636,12 +6640,9 @@ exports.set = function(obj, path, value) { var ispush = v.lastIndexOf('[]') !== -1; var a = builder.join(';') + ';var v=typeof(a)===\'function\'?a(U.get(b)):a;w' + (v[0] === '[' ? '' : '.') + (ispush ? v.replace(REGREPLACEARR, '.push(v)') : (v + '=v')) + ';return v'; - if ((/__proto__|constructor|prototype|eval/).test(a)) - throw new Error('Potential vulnerability'); - var fn = new Function('w', 'a', 'b', a); F.temporary.other[cachekey] = fn; - fn(obj, value, path); + return fn(obj, value, path); }; exports.get = function(obj, path) { @@ -6651,6 +6652,9 @@ exports.get = function(obj, path) { if (F.temporary.other[cachekey]) return F.temporary.other[cachekey](obj); + if ((/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/).test(path)) + return; + var arr = parsepath(path); var builder = [];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-vwhc-pww7-72x6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32831ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljsghsaADVISORY
- github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txtghsax_refsource_MISCWEB
- github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3ghsax_refsource_MISCWEB
- securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/mitrex_refsource_CONFIRM
- www.npmjs.com/package/total.jsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.