CVE-2021-32831 – CVE-2021-32831 is a code injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-32831?

CVE-2021-32831 has a CVSS score of 7.5 (HIGH). CVE-2021-32831 is a code injection vulnerability in the Total.js framework for Node.js. When the utils.set function is called with user-controlled values, attackers can execute arbitrary code on affected systems. This affects all applications using Total.js framework versions before 3.4.9.

📋 TL;DR

CVE-2021-32831 is a code injection vulnerability in the Total.js framework for Node.js. When the utils.set function is called with user-controlled values, attackers can execute arbitrary code on affected systems. This affects all applications using Total.js framework versions before 3.4.9.

💻 Affected Systems

Products:

Total.js framework

Versions: All versions before 3.4.9

Operating Systems: Any OS running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using utils.set() with user input is vulnerable. The vulnerability is in the framework itself, not dependent on specific configurations.

📦 What is this software?

Total.js by Totaljs

View all CVEs affecting Total.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Arbitrary code execution allowing attackers to steal sensitive data, modify application behavior, or establish persistence.

🟢

If Mitigated

Limited impact if proper input validation and sanitization are implemented, though the core vulnerability remains.

🌐 Internet-Facing: HIGH - Web applications using vulnerable Total.js versions are directly exposed to remote exploitation.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require network access, reducing exposure surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input to reach utils.set() function. Public proof-of-concept exists in GitHub Security Lab advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.9

Vendor Advisory: https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11

Restart Required: Yes

Instructions:

1. Update package.json to specify 'total.js': '>=3.4.9'. 2. Run 'npm update total.js'. 3. Restart the Node.js application. 4. Test application functionality.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation and sanitization for all user inputs before passing to utils.set() function.

WAF rule implementation

all

Deploy Web Application Firewall rules to detect and block suspicious patterns in user input that could trigger code injection.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user inputs
Deploy application-level firewall or WAF with rules targeting code injection patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list total.js' to see if version is below 3.4.9. Review code for usage of utils.set() with user input.

Check Version:

npm list total.js | grep total.js

Verify Fix Applied:

Confirm 'npm list total.js' shows version 3.4.9 or higher. Test application functionality after update.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Node.js application
Suspicious JavaScript code in application logs
Errors from utils.set() function with unexpected input

Network Indicators:

Unusual outbound connections from Node.js application
Suspicious payloads in HTTP requests to application endpoints

SIEM Query:

source='application.logs' AND (process='node' AND command LIKE '%eval%' OR command LIKE '%exec%') OR (message LIKE '%utils.set%' AND message LIKE '%error%')

📊 Metadata

CVE ID: CVE-2021-32831

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: August 30, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11 Third Party Advisory
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 Patch,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/ Exploit,Patch,Third Party Advisory
https://www.npmjs.com/package/total.js Product,Third Party Advisory
https://github.com/totaljs/framework/blob/e644167d5378afdc45cb0156190349b2c07ef235/changes.txt#L11 Third Party Advisory
https://github.com/totaljs/framework/commit/887b0fa9e162ef7a2dd9cec20a5ca122726373b3 Patch,Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2021-066-totaljs-totaljs/ Exploit,Patch,Third Party Advisory
https://www.npmjs.com/package/total.js Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32831, you might also want to check these: