CVE-2023-1283
CRITICAL9.8EPSS 0.28%builderio/qwik is vulnerable to code injection
Published: 3/9/2023Modified: 11/8/2023
Description
Code Injection in GitHub repository builderio/qwik prior to 0.21.0. The Function deserializer can be accessed using the pureServerFunction feature. This allows any Javascript code to be run by node.js.
Affected packages (1)
- npm/@builder.io/qwikfrom 0, < 0.21.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-1283
- PATCHhttps://github.com/BuilderIO/qwik
- WEBhttps://github.com/builderio/qwik/commit/4d9ba6e098ae6e537aa55abb6b8369bb670ffe66
- WEBhttps://github.com/BuilderIO/qwik/pull/3249/commits/4d9ba6e098ae6e537aa55abb6b8369bb670ffe66
- WEBhttps://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8