GHSA-fq9m-v26v-2m4f

Suggest an improvement
Source
https://github.com/advisories/GHSA-fq9m-v26v-2m4f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-fq9m-v26v-2m4f/GHSA-fq9m-v26v-2m4f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fq9m-v26v-2m4f
Aliases
Published
2024-10-31T06:30:45Z
Modified
2024-11-01T22:12:21.066635Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
lilconfig Code Injection vulnerability
Details

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.

Database specific
{
    "nvd_published_at": "2024-10-31T05:15:04Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-01T21:39:32Z"
}
References

Affected packages

npm / lilconfig

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.1.0
Fixed
3.1.1