We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-21537



Assignersnyk
Reserved2023-12-22
Published2024-10-31
Updated2024-10-31

Description

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.



HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P

Credits

Anton Kastritskiy

References

https://security.snyk.io/vuln/SNYK-JS-LILCONFIG-6263789

https://github.com/antonk52/lilconfig/pull/48

https://github.com/antonk52/lilconfig/releases/tag/v3.1.1

https://github.com/antonk52/lilconfig/commit/2c68a1ab8764fc74acc46771e1ad39ab07a9b0a7

cve.org CVE-2024-21537

nvd.nist.gov CVE-2024-21537

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.