Sandbox Breakout

Affecting realms-shim package, versions <1.2.0

Do your applications use this vulnerable package? Test your applications

Overview

realms-shim is a shim implementation of the Realm API Proposal.

Affected versions of this package are vulnerable to {{ affectedlibrary.vulnerability.title }}, which would allow the attacker to run arbitrary code.

The vulnerable paths:

1) Reflect.construct can be used on the sandboxed Function constructor to reach the prototypes of the primal Realm.
2) The package's confined evaluator depended upon correct behavior of the spread operator a = [...b, ...c], which could be modified by the confined code.
3) The package has an uncaught exception that may allow an attacker to break out of the sandbox by catching the exception and using the caught Exception object.
4) The package's core evaluator, which must switch between "unsafe mode" and "safe mode" for each call, could be left in "unsafe mode" if an attacker is able to force a RangeError in a specific timeframe.

Remediation

Upgrade realms-shim to version 1.2.0 or higher.

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CWE
CWE-265
Snyk ID
SNYK-JS-REALMSSHIM-471680
Disclosed
02 Oct, 2019
Published
03 Oct, 2019