CVE-2017-16226
UNKNOWN
Published 2018-06-07T02:00:00Z
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2017-16226. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
MODERATE
Sandbox Breakout / Arbitrary Code Execution in static-eval
GHSA-5mjw-6jrh-hvfqAdvisory Details
Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
## Proof of concept
```js
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id
```
## Recommendation
Update to version 2.0.0 or later.
Affected Packages
npm
static-eval
ECOSYSTEM:
≥0
<2.0.0
CVSS Scoring
CVSS Score
5.0
References
Advisory provided by GitHub Security Advisory Database. Published: August 6, 2018, Modified: September 11, 2023
References
Published: 2018-06-07T02:00:00Z
Last Modified: 2024-09-16T16:38:08.513Z
Copied to clipboard!