Lucene search

GitHub Advisory DatabaseGHSA-VC6Q-CCJ9-9R89

HistoryApr 05, 2024 - 6:30 a.m.

MailDev Remote Code Execution

2024-04-0506:30:46

CWE-22

GitHub Advisory Database

github.com

maildev

remote code execution

content-id

e-mail attachment

lib/mailserver.js

routes.js

software

8.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file.

Affected configurations

Vulners

Node

maildevRange≤2.1.0

CPENameOperatorVersion
maildevle2.1.0

CPE	Name	Operator	Version
	maildev	le	2.1.0

References

gist.github.com/stypr/fe2003f00959f7e3d92ab9d5260433f8

github.com/advisories/GHSA-vc6q-ccj9-9r89

github.com/maildev/maildev/issues/467

github.com/maildev/maildev/releases

github.com/Tim-Hoekstra/MailDev-2.1.0-Exploit-RCE

intrix.com.au/articles/exposing-major-security-flaw-in-maildev

nvd.nist.gov/vuln/detail/CVE-2024-27448