CVE-2024-21537 – lilconfig

Package

Manager: npm
Name: lilconfig
Vulnerable Version: >=3.1.0 <3.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00329 pctl0.55289

Details

lilconfig Code Injection vulnerability Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.

Metadata

Created: 2024-10-31T06:30:45Z
Modified: 2024-11-01T21:39:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-fq9m-v26v-2m4f/GHSA-fq9m-v26v-2m4f.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-fq9m-v26v-2m4f
Finding: F422
Auto approve: 1