CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.9%
The import-in-the-middle
loader works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function.
This vulnerability has been patched in import-in-the-middle
version 1.4.2
import()
. Instead, verify it against a set of allowed values.import-in-the-middle
and support for EcmaScript Modules is not needed, ensure that none of the following options are set (either via command-line or the NODE_OPTIONS
environment variable):--loader=import-in-the-middle/hook.mjs
--loader import-in-the-middle/hook.mjs
If you have any questions or comments about this advisory, email us at [email protected]
Vendor | Product | Version | CPE |
---|---|---|---|
datadoghq | import-in-the-middle | * | cpe:2.3:a:datadoghq:import-in-the-middle:*:*:*:*:*:node.js:*:* |