CVE-2017-16226
Sandbox Breakout / Arbitrary Code Execution in static-eval
EPSS 1.3%
描述
Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ```js var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id ``` ## Recommendation Update to version 2.0.0 or later.
如何修補 CVE-2017-16226
要修補 CVE-2017-16226,請將受影響套件升級到下列已修補版本。
- —升級至 2.0.0 或更新版本
CVE-2017-16226 正在被利用嗎?
低 — EPSS 為 1.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 2.0.0