Arbitrary Code Execution in static-eval

Do your applications use this vulnerable package? Test your applications

Overview

static-eval is a module to evaluate statically-analyzable expressions.

Affected versions of the package are vulnerable to Arbitrary Code Execution. If un-sanitized user input is passed to static-eval, it is possible to break out of the sandboxed instance, and execute arbitrary code from the standard library.

Remediation

Upgrade static-eval to version 2.0.0 or higher.

References

Matt Austin's Blog
GitHub PR
GitHub Commit

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

Low

Credit: Matt Austin
CVE: CVE-2017-16226
CWE: CWE-94
Snyk ID: npm:static-eval:20171016
Disclosed: 16 Oct, 2017
Published: 18 Oct, 2017

Arbitrary Code Execution
Affecting static-eval package, versions <2.0.0

Overview

Remediation

References

CVSS Score

Arbitrary Code Execution Affecting static-eval package, versions <2.0.0

Overview

Remediation

References

Arbitrary Code Execution
Affecting static-eval package, versions <2.0.0