CVE-2017-16226
Arbitrary Code Execution vulnerability in static-eval (npm)
What is CVE-2017-16226 About?
The `static-eval` package is vulnerable to arbitrary code execution because it passes untrusted user input directly to the global function constructor. This allows an attacker to execute arbitrary code on the system. Exploitation is straightforward, requiring only controlled input to the package.
Affected Software
Technical Details
The vulnerability in static-eval stems from its design decision to directly pass untrusted user-supplied input to JavaScript's global Function constructor during parsing and evaluation. Specifically, when static-eval receives user input that is processed via esprima.parse and then passed to evaluate without proper sanitization or sandboxing, the input's string content is effectively incorporated into dynamically generated JavaScript code. This allows an attacker to inject and execute arbitrary JavaScript code within the context of the application, as demonstrated by injecting a function call like (function(){console.log(process.pid)})().
What is the Impact of CVE-2017-16226?
Successful exploitation may allow attackers to execute arbitrary code on the host system, leading to full system compromise, data theft, or denial of service.
What is the Exploitability of CVE-2017-16226?
Exploitation of this arbitrary code execution vulnerability is simple, requiring an attacker to provide specially crafted input to the static-eval package. There are no explicit authentication or privilege requirements for this vulnerability; if an application uses static-eval with untrusted input, an unauthenticated attacker could potentially exploit it. Exploitation is typically local, as it requires the attacker to control an input parameter within the application's execution flow. The only prerequisite is that the application uses the vulnerable static-eval package and processes user-controlled input through it. Risk factors that increase exploitation likelihood include any application that directly uses or chains this package with user input without validation or沙盒 execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16226?
Available Upgrade Options
- static-eval
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
- https://nvd.nist.gov/vuln/detail/CVE-2017-16226
- https://www.npmjs.com/advisories/548
- https://nodesecurity.io/advisories/548
- https://maustin.net/articles/2017-10/static_eval
- https://github.com/substack/static-eval/pull/18
- https://maustin.net/articles/2017-10/static_eval
- https://github.com/substack/static-eval/pull/18
- https://osv.dev/vulnerability/GHSA-5mjw-6jrh-hvfq
What are Similar Vulnerabilities to CVE-2017-16226?
Similar Vulnerabilities: CVE-2020-7712 , CVE-2020-7713 , CVE-2020-7731 , CVE-2021-32692 , CVE-2021-39144
