CVE-2024-43373

HIGH EPSS 35.7%
Published Aug 15, 20241y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 15, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module name includes a path traversal sequence with Windows path separators, an attacker can exploit this to overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code execution. This vulnerability has been patched in version 2.14.1.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
35.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-22 Path Traversal Resource Mgmt

Affected Products 2

VendorProductVersionRange
j4k0xbwebcrack* <2.14.1
microsoftwindows*any

References 3

  • github.com https://github.com/j4k0xb/webcrack/blob/241f9469e6401f3dabc6373233d85a5e76966b54/packages/webcrack/src/unpack/bundle.ts#L79
    Product
  • github.com https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999
    Patch
  • github.com https://github.com/j4k0xb/webcrack/security/advisories/GHSA-ccqh-278p-xq6w
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/j4k0xb/webcrack/commit/4bc5c6f353012ee7edc2cb39d01a728ab7426999
    Patch