Volerion logoVolerion
Volerion logoVolerion

Plenti Code Execution Vulnerability via Malicious Svelte File Upload

Vulnerability

A remote code execution vulnerability exists in Plenti versions through 0.7.16. The issue arises when users upload '.svelte' files through the '/postLocal' endpoint, embedding JavaScript code in the file name. The server executes this code, leading to unauthorized code execution. This vulnerability exploits the V8 JavaScript engine's sandboxing, allowing for infinite loops that cause denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for remote code execution, with the executed code running in a context that can create denial-of-service conditions by causing the application to become unresponsive.

Reproduction

To reproduce this vulnerability, upload a '.svelte' file through the '/postLocal' endpoint, ensuring the file name includes JavaScript code, such as a 'while' loop. The uploaded file will be processed in a way that executes the embedded JavaScript, demonstrating the code execution vulnerability.

Remediation

Users can upgrade to Plenti version 0.7.17 or later, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
5.0
exploitability
4.6
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.