Neurophysiologically Pseudoscientific Manatee
Severity: moderate

Arbitrary JavaScript Execution



In affected versions of less-openui5 processing untrusted theming resources might execute arbitrary code.


When processing theming resources (i.e. *.less files) with less-openui5 that originate from an untrusted source, those resources might contain JavaScript code which will be executed in the context of the build process.

While this is a feature of the Less.js library, it is an unexpected behavior in the context of OpenUI5 and SAPUI5 development.

Especially in the context of UI5 Tooling, which relies on less-openui5, this poses a security threat:

An attacker might create a library or theme-library containing a custom control or theme, hiding malicious JavaScript code in one of the .less files.

This is an example of inline JavaScript in a Less file:

.rule {
    @var: `(function(){console.log('Hello from JavaScript'); process.exit(1);})()`;
    color: @var;

Starting with Less.js version 3.0.0, the Inline JavaScript feature is disabled by default. less-openui5 however currently uses a fork of Less.js v1.6.3.

Note that disabling the Inline JavaScript feature in Less.js versions 1.x, still evaluates code has additional double codes around it:

.rule {
    @var: "`(function(){console.log('Hello from JavaScript'); process.exit(1);})()`";
    color: @var;


We decided to remove the inline JavaScript evaluation feature completely from the code of our Less.js fork.

This fix is available in less-openui5 version v0.10.0


Only process trusted theming resources.


Upgrade to version 0.10.0 or later


Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Feb 23rd, 2021
  2. reported

    Reported by Anonymous
    Feb 23rd, 2021