Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1tcXYtbTQ1aC1xMmhw
Sandbox Breakout / Arbitrary Code Execution in localeval
All versions of localeval
are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through constructor.constructor
. This may allow attackers to execute arbitrary code in the system. Evaluating the payload
constructor.constructor("return process.env")()
returns the contents of process.env
.
Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-mmqv-m45h-q2hpJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1tcXYtbTQ1aC1xMmhw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-mmqv-m45h-q2hp
References:
- https://github.com/espadrine/localeval/issues/9
- https://github.com/espadrine/localeval/commit/823f112c793b8fae051eeddad61d4ed29804a56c
- https://github.com/espadrine/localeval/commit/ce985eba77a5f89a7f718727cbaa7fb14da40335
- https://github.com/advisories/GHSA-mmqv-m45h-q2hp
Blast Radius: 0.0
Affected Packages
npm:localeval
Dependent packages: 14Dependent repositories: 17
Downloads: 126 last month
Affected Version Ranges: >= 0.0.0, < 15.3.0
Fixed in: 15.3.0
All affected versions: 13.4.14, 13.5.13, 13.5.29, 13.6.10, 13.12.11, 15.2.3
All unaffected versions: 15.3.0