Login Sign Up

CVE-2021-23389

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of total.js framework. Attackers can exploit the U.set() and U.get() utility functions to inject and execute malicious code. Any application using total.js versions before 3.4.9 is affected.

💻 Affected Systems

Products:
  • total.js framework
Versions: All versions before 3.4.9
Operating Systems: All platforms running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the vulnerable U.set() or U.get() functions is affected regardless of configuration.

📦 What is this software?

Total.js by Totaljs

View all CVEs affecting Total.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of ransomware.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing applications particularly vulnerable.
🏢 Internal Only: HIGH - Even internal applications can be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward as the vulnerable functions are commonly used and the attack vector is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.9 and later

Vendor Advisory: https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3

Restart Required: Yes

Instructions:

1. Update total.js package to version 3.4.9 or later using npm update totaljs. 2. Restart the application. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Wrapper

all

Wrap U.set() and U.get() calls with strict input validation to prevent code injection

// Implement input validation before calling U.set() or U.get()
// Example: if (typeof input !== 'string' || input.includes('__proto__')) throw new Error('Invalid input');

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Deploy web application firewall (WAF) rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check package.json for total.js version or run npm list totaljs

Check Version:

npm list totaljs | grep totaljs

Verify Fix Applied:

Verify total.js version is 3.4.9 or higher using npm list totaljs

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution patterns
  • Suspicious JavaScript evaluation in logs
  • Unexpected system commands from Node.js processes

Network Indicators:

  • Unusual outbound connections from Node.js applications
  • Suspicious payloads in HTTP requests

SIEM Query:

process.name:node.exe AND (process.cmdline:*U.set* OR process.cmdline:*U.get*) AND process.cmdline:*eval*

📊 Metadata

CVE ID: CVE-2021-23389
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: July 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23389, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)