Arbitrary Code Execution Affecting sandbox package, versions *
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:sandbox:20160821
- published 7 Nov 2017
- disclosed 21 Aug 2016
- credit io void
How to fix?
There is no fix version for sandbox
.
Overview
sandbox
is a nifty javascript sandbox for node.js.
Affected versions of the package are vulnerable to Arbitrary Code Execution. It is possible to escape the sandbox by using a combination of functions and constructors, allowing an attacker access to a process with root permissions, and load modules of their choosing in order to execute malicious code.
PoC by io Void:
new Function("
return (
this.constructor.constructor('
return (this.process.mainModule.constructor._load
)'
)())"
)()
("util").inspect("hi")