static-eval High Severity Security vulnerability with package

Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765

Feb 17 '21 11:02 charlieTheBotDev

@goto-bus-stop can it be fixed? Thanks!

Feb 17 '21 15:02 SymbioticKilla

It's a false positive.

Feb 17 '21 15:02 goto-bus-stop

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ...

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast)

... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it

Feb 17 '21 16:02 andyedwardsibm

I see, I thought it was the same as this: https://github.com/418sec/huntr/pull/1883. That PR had omitted the quotes.

It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security

Feb 17 '21 16:02 goto-bus-stop

This issue is also in NVD-CVE-2021-23334. It’s giving some hard times to other libraries, in my case, pdfmake, it’s a high vulnerability issue reported by npm and it’s being blocked by systems that handle this type of package.

Any workaround that we can use or possibly for a solution?

Feb 23 '21 19:02 cgonzalezp91

i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days.

Feb 23 '21 19:02 goto-bus-stop

Any more info about the CVE revoke?

Mar 28 '21 18:03 cakenyo

Is already revoked. WhiteSource at least doesn't show it as CVE anymore.

Mar 28 '21 18:03 SymbioticKilla

@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry.

Mar 28 '21 18:03 carnil

Do we have any update?

Apr 20 '21 07:04 namtx

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860

Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this.

Apr 29 '21 13:04 Garbee

Hey @Garbee, thanks for raising this issue, yep i agree, anything going into evaluate should not be trusted and is not the responsibility of the maintainer sanitise user input. This was added by Snyk by mistake, apologies for the spam. I will revoke the CVE and mark any Snyk references as False positive. (Expect this change in the next 24 hours)

Apr 29 '21 16:04 snoopysecurity

Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :(

I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 you will need to post a request here asking for a CVE update and then asking the CVE to be revoked. https://cveform.mitre.org/

Apr 30 '21 13:04 alasdairhurst

Hey, after contacting MITRE through multiple channels, CVE-2021-23334 has been marked as rejected/revoked. Hope this helps. This issue can be closed

Jun 24 '21 08:06 snoopysecurity

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit >
linebreak > brfs > static-module > static-eval

Oct 07 '21 13:10 SymbioticKilla

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same problem here =(

Oct 07 '21 21:10 leonardomaier

For those commenting about failing npm/yarn audits suddenly today, I suspect this has to do with the background change to the npm advisories database which now points to the github advisories db: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Not sure what to do with this info yet but an fyi @leonardomaier @SymbioticKilla

Oct 08 '21 00:10 kmannislands

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same issue here also. Any update?

Oct 08 '21 02:10 JingBluestone

this package is very stable and the only maintenance effort is in dealing with bogus security warnings. idk why npm doesn't just allow you to silence warnings that are clearly bullshit instead of forcing us to do useless work. i guess i'll email them about this one…

Oct 08 '21 07:10 goto-bus-stop

for folks who use auditjs: use whitelisting

just add a file auditjs.json to your folder, where you run auditjs command with the following content: { "ignore": [ { "id": "CVE-2021-23334", "reason": "any reason you want" } ] }
run audit command: npx auditjs ossi --whitelist /path/to/file/auditjs.json

May 26 '22 07:05 DarthVitalus

static-eval static-eval copied to clipboard

High Severity Security vulnerability with package

static-eval
static-eval copied to clipboard