Improper Input Validation Affecting ses package, versions >=0.13.0 <0.13.5 >=0.14.0 <0.14.5 >=0.15.0 <0.15.24 >=0.16.0 <0.16.1 >=0.17.0 <0.17.1 >=0.18.0 <0.18.7
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SES-5830612
- published 9 Aug 2023
- disclosed 8 Aug 2023
- credit corrideat
Introduced: 8 Aug 2023
CVE-2023-39532 Open this link in a new tabHow to fix?
Upgrade ses to version 0.13.5, 0.14.5, 0.15.24, 0.16.1, 0.17.1, 0.18.7 or higher.
Overview
ses is a secure runtime for running third-party code safely.
Affected versions of this package are vulnerable to Improper Input Validation. There is an issue in the confinement of guest applications under SES that may manifest as either the ability to exfiltrate information or execute arbitrary code depending on the configuration and implementation of the surrounding host.
Note:
Guest programs running inside a Compartment with as few as no endowments can gain access to the surrounding host’s dynamic import by using dynamic import after the spread operator, like {...import(arbitraryModuleSpecifier)}.
Workaround
Users who are unable to upgrade to the fixed versions can apply the following changes:
On the web, providing a suitably constrained Content-Security-Policy mitigates most of the threat.
With XS, building a binary that lacks the ability to load modules at runtime mitigates the entirety of the threat. That will look like an implementation of fxFindModule in a file like xsPlatform.c that calls fxRejectModuleFile.
There is no known workaround for Node.js.