CVE-2019-15657
Arbitrary Code Execution vulnerability in eslint-utils (npm)
What is CVE-2019-15657 About?
This vulnerability affects `eslint-utils` versions >=1.2.0 or <1.4.1, allowing for Arbitrary Code Execution due to improper user input sanitization in `getStaticValue`. Attackers can supply malicious input to execute arbitrary code during the linting process. Exploitation is relatively straightforward for an attacker who can control the input parsed by the vulnerable function.
Affected Software
Technical Details
Versions of eslint-utils within the range of >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The getStaticValue function, intended to statically analyze and resolve values, fails to properly sanitize user-supplied input. An attacker can craft malicious JavaScript code or input that, when processed by getStaticValue during the linting process, triggers unintended code execution. This occurs because the function treats attacker-controlled content as legitimate code or command, rather than merely data. This allows an attacker to inject and execute arbitrary commands in the context of the running linter, providing a powerful attack vector.
What is the Impact of CVE-2019-15657?
Successful exploitation may allow attackers to execute arbitrary code on the system running the linter, leading to full system compromise, data theft, or disruption of developer environments.
What is the Exploitability of CVE-2019-15657?
Exploitation requires an attacker to provide malicious input that is subsequently processed by the getStaticValue function within eslint-utils. The complexity is low to moderate, depending on the attacker's ability to insert arbitrary code into a file that will be linted. No authentication is typically required for the vulnerability itself, but gaining access to the codebase or CI/CD pipeline where linting occurs would be a prerequisite. This is fundamentally a local attack in the context of the linting process, but can be triggered remotely if an attacker can push malicious code to a repository that is then linted in a CI/CD environment. The likelihood of exploitation increases with reliance on eslint-utils for linting untrusted or user-generated code.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-15657?
Available Upgrade Options
- eslint-utils
- >1.2.0, <1.4.1 → Upgrade to 1.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-3gx7-xhv7-5mx3
- https://github.com/mysticatea/eslint-utils/commit/08158db1c98fd71cf0f32ddefbc147e2620e724c
- https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3
- https://nvd.nist.gov/vuln/detail/CVE-2019-15657
- https://www.npmjs.com/advisories/1118
- https://osv.dev/vulnerability/GHSA-3gx7-xhv7-5mx3
- https://eslint.org/blog/2019/08/eslint-v6.2.1-released
- https://github.com/mysticatea/eslint-utils
What are Similar Vulnerabilities to CVE-2019-15657?
Similar Vulnerabilities: CVE-2020-7608 , CVE-2020-7674 , CVE-2021-23390 , CVE-2021-23393 , CVE-2017-16016
