CVE-2024-21537

Name of the Vulnerable Software and Affected Versions lilconfig versions 3.1.0 through 3.1.1

Description The issue is related to the dynamicImport() function in the lilconfig configurator, which is associated with incorrect code generation management when handling .d.ts syntax. This can allow a remote attacker to execute arbitrary code. The vulnerability is due to the insecure usage of eval in the dynamicImport function, which can be exploited by passing malicious input through the defaultLoaders function.

Recommendations For lilconfig versions 3.1.0 through 3.1.1, update to version 3.1.1 to resolve the issue. As a temporary workaround, consider disabling the dynamicImport function until a patch is available. Restrict access to the defaultLoaders function to minimize the risk of exploitation. Avoid using the eval function in the dynamicImport function until the issue is resolved.