Akashhamal0X01

**Name of the Vulnerable Software and Affected Versions** Nuclei versions 3.0.0 through 3.7.9 **Description** A flaw in the JavaScript protocol runtime's module loading system allows JavaScript templates to read local `.js` and `.json` files from the host filesystem. This occurs because the `require()` function utilizes a default host filesystem loader that bypasses the `allow-local-file-access` check, which is intended to restrict file access outside the template directory. This can lead to the exposure of sensitive data stored in JSON configuration files, such as `package.json`, credential stores, or cloud configuration files. The issue specifically affects CLI users running untrusted third-party templates and SDK users who allow end-users to supply JavaScript templates. **Recommendations** Update to version 3.8.0. Avoid running JavaScript templates from unverified or untrusted sources.