Sandbox Breakout Affecting realms-shim package, versions <1.2.1
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-REALMSSHIM-536069
- published 26 Nov 2019
- disclosed 21 Oct 2019
- credit Unknown
How to fix?
Upgrade realms-shim to version 1.2.1 or higher.
Overview
realms-shim is a shim implementation of the Realm API Proposal.
Affected versions of this package are vulnerable to Sandbox Breakout. The realms-shim is intended to provide a "safe evaluator" which executes arbitrary strings code with limited authority. This provides a "sandbox" which only has access to the specific objects and power that the caller chooses to expose. The evaluate() function it implements takes two additional arguments: endowments (which are exposed in the global lexical scope), and an options bag. The transforms option is a list of functions that are applied to the string of code, to apply Babel-like transformations before it gets executed (e.g. to implement syntax extensions).
A bug was found in the transformation pipeline that exposed a primal-Realm object to one of the transform functions. The confined code could use this to escape the sandbox and compromise the Realm which created it. This generally leads to a full compromise of the application.