CVE-2021-23344 – This vulnerability in total.js framework allows... (How to Fix)

Q: What is the severity of CVE-2021-23344?

CVE-2021-23344 has a CVSS score of 9.8 (CRITICAL). This vulnerability in total.js framework allows remote attackers to execute arbitrary code on affected systems by exploiting improper input validation in the 'set' function. It affects all applications using total.js versions before 3.4.8 that accept user input. Attackers can gain complete control of vulnerable servers.

📋 TL;DR

This vulnerability in total.js framework allows remote attackers to execute arbitrary code on affected systems by exploiting improper input validation in the 'set' function. It affects all applications using total.js versions before 3.4.8 that accept user input. Attackers can gain complete control of vulnerable servers.

💻 Affected Systems

Products:

total.js framework

Versions: All versions before 3.4.8

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using total.js framework that processes user input is vulnerable. The vulnerability is in the framework itself, not dependent on specific application code.

📦 What is this software?

Total.js by Totaljs

View all CVEs affecting Total.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation, network segmentation, and least privilege principles in place.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet without authentication.

🏢 Internal Only: HIGH - Exploitable from any network position with access to the vulnerable service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward as it involves sending specially crafted input to vulnerable endpoints. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 and later

Vendor Advisory: https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04

Restart Required: Yes

Instructions:

1. Update total.js package to version 3.4.8 or later using 'npm update total.js' 2. Restart the Node.js application 3. Verify the update with 'npm list total.js'

🔧 Temporary Workarounds

Input validation wrapper

all

Implement strict input validation for all user-controlled parameters before passing to total.js set function

// Example: Validate input before using total.js set
function safeSet(key, value) {
  if (typeof value !== 'string' && typeof value !== 'number') {
    throw new Error('Invalid input type');
  }
  // Additional validation as needed
  return framework.set(key, value);
}

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Deploy web application firewall (WAF) with RCE protection rules

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list total.js' to see if version is below 3.4.8

Check Version:

npm list total.js | grep total.js

Verify Fix Applied:

Confirm total.js version is 3.4.8 or higher with 'npm list total.js' and test application functionality

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Node.js
Suspicious command execution patterns
Abnormal system calls from application

Network Indicators:

Unexpected outbound connections from application server
Suspicious payloads in HTTP requests containing code execution patterns

SIEM Query:

source="application.logs" AND ("exec(" OR "spawn(" OR "system(") AND process="node"

📊 Metadata

CVE ID: CVE-2021-23344

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 4, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069 Exploit,Patch,Third Party Advisory
https://github.com/totaljs/framework/commit/c812bbcab8981797d3a1b9993fc42dad3d246f04 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-JS-TOTALJS-1077069 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23344, you might also want to check these: