~ 3 min read
Disclosing code injection vulnerabilities in safe-eval-2 npm package
During a security research as part of my upcoming Code Injection book about Node.js Secure Coding I audited several npm packages and found a code injection vulnerability in the safe-eval-2 npm package.
This package is a fork of the original safe-eval
package, which was supposed to be a promise for a secure JavaScript eval()
function, but history proved otherwise. The original safe-eval
package was found to be vulnerable to code injection attacks multiple times, and the safe-eval-2
npm package forked by another user (lcnvdl), included some commits, and published as a new version and alternative to the original package, that is supposed to be secure.
Luckily, safe-eval-2
doesn’t include many downloads or dependant packages, but it’s still important to disclose the vulnerability an create a CVE identifier for it so that the community can be aware of the risks of using this package.
Code injection in safe-eval and safe-eval-2 vulnerability details
There are many ways to bypass the security sandbox of safe-eval
and all versions are now considered vulnerable and JavaScript developers should not use it in their applications.
Following are publicly known proof-of-concept payloads that attackers could employ to exploit server-side JavaScript applications running Node.js or other compatible runtimes that support safe-eval
or safe-eval-2
:
The above code snippet demonstrates an exploit in which an immediately invoked function expression (IIFE) uses the hasOwnProperty
method to access the process
object and execute a shell command to create a file named flag
in the root directory of the running Node.js server.
Another proof-of-concept payload that demonstrates a code injection vulnerability in safe-eval
is:
In this case, the exploit uses the __defineGetter__
method to trigger an error, then using the Error object, traverse the prototype chain and access the process
object to execute a shell command that creates a file named flag
in the root directory of the Node.js server.
Well, safe-eval-2
is also vulnerable. Here are a few examples of how to exploit the safe-eval-2
package:
Vulnerability disclosure
This code injection vulnerability affects all known versions of safe-eval-2
which to this date is 0.4.2
and prior.
Since the safe-eval-2
package is a fork of the original safe-eval
package, and not allowing for new issues to be reported, nor isn’t a great risk to the community due to the low usage, I am going to disclose this vulnerability publicly through this blog post and an issue opened in the upstream project safe-eval
repository.
Learn how to mitigate code injection
As I mentioned in the opening paragraph, I am working on a book about secure coding in Node.js that focuses entirely on code injection vulnerabilities in JavaScript and the Node.js runtime.
You’ll learn how to mitigate the type of code injection vulnerabilities like I shared here about safe-eval-2
as well as different exploitation methods and payloads. If you are interested in learning more about this topic, I invite you to get the book and level up on security skills as a developer: Node.js Secure Coding: Mitigating and Exploiting Code Injection Vulnerabilities.