Severity: 9.8 - Critical Severity
|Affected versions of replicator npm package are vulnerable to a deserialization RCE via the TypedArrays objects. replicator doesn't verify the object type given when deserializing TypedArrays and thus letting an attacker create arbitrary objects.|
replicator before 1.0.4.
In case an untrusted data get deserialized, an attacker could achieve RCE.
The command in the exec function will be run, in this case aimed for a Windows machine a calculator will pop up.
Update replicator dependency to 1.0.4 or above.
This issue was discovered and reported by Checkmarx SCA Security Researcher Yaniv Nizry.