Twenty CRM versions v1.15.0 and earlier contain a critical vulnerability in the local.driver.ts module that allows remote attackers to execute arbitrary code.

The vulnerability resides in the local.driver.ts module, where insufficient input validation allows a remote attacker to inject and execute arbitrary code. This typically occurs through unauthenticated or lowly privileged requests to the driver interface.

A successful exploit allows for full application and server compromise, leading to the exposure of sensitive CRM data, including customer contacts and business leads. The CVSS score of 9.8 reflects the critical threat to the confidentiality and integrity of the entire CRM platform.

Immediate Action: Update Twenty CRM to the latest patched version immediately to remediate the flaw in the driver module.

Proactive Monitoring: Audit application logs for suspicious file system activities or unauthorized modifications to the local.driver.ts or related TypeScript files.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter incoming requests for common code injection patterns and restrict file upload/execution capabilities.

Public Exploit Available: No

Organizations utilizing Twenty CRM should treat this as a critical priority. The ability to execute code remotely through a core module necessitates immediate patching and a thorough review of the application's security configuration.