CVE-2019-5479

Name of the Vulnerable Software and Affected Versions larvitbase-api versions prior to 0.5.4

Description The issue allows an attacker to load arbitrary non-production code, specifically JavaScript files, due to an unintended require vulnerability. This is possible because the package exposes an API endpoint and passes a GET parameter unsanitized to a require() call, allowing attackers to execute any .js file in the same folder as the server is running.

Recommendations Upgrade to version 0.5.4 or later.