Homepage
About Snyk

Sandbox Breakout Affecting realms-shim package, versions <1.2.0

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High
    Availability High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-REALMSSHIM-471680
  • published 3 Oct 2019
  • disclosed 2 Oct 2019
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 2 Oct 2019

CVE NOT AVAILABLE CWE-265 Open this link in a new tab

How to fix?

Upgrade realms-shim to version 1.2.0 or higher.

Overview

realms-shim is a shim implementation of the Realm API Proposal.

Affected versions of this package are vulnerable to {{ affectedlibrary.vulnerability.title }}, which would allow the attacker to run arbitrary code.

The vulnerable paths:

  1. Reflect.construct can be used on the sandboxed Function constructor to reach the prototypes of the primal Realm.
  2. The package's confined evaluator depended upon correct behavior of the spread operator a = [...b, ...c], which could be modified by the confined code.
  3. The package has an uncaught exception that may allow an attacker to break out of the sandbox by catching the exception and using the caught Exception object.
  4. The package's core evaluator, which must switch between "unsafe mode" and "safe mode" for each call, could be left in "unsafe mode" if an attacker is able to force a RangeError in a specific timeframe.