CVE-2020-7710
Sandbox Escape vulnerability in safe-eval (npm)
What is CVE-2020-7710 About?
All versions of the `safe-eval` package are vulnerable to a Sandbox Escape leading to Remote Code Execution. The package fails to properly restrict access to the main context through Error objects, enabling attackers to execute arbitrary code. Exploiting this vulnerability is relatively straightforward given the documented payload.
Affected Software
Technical Details
The safe-eval package aims to provide a sandboxed environment for evaluating untrusted JavaScript code. However, it fails to adequately isolate the sandbox from the main Node.js context. Specifically, the vulnerability arises because properties of JavaScript Error objects, particularly __proto__ and stack, are not properly sanitized or restricted when passed into the sandbox. An attacker can craft a malicious JavaScript payload that, when evaluated, manipulates the Error.prototype or the stack property of an Error object. By cleverly setting the stack property to an object with a match method, the attacker can cause match to invoke core Node.js functions, such as constructor.constructor('return process.env')() within the main context. This allows for arbitrary code execution outside the intended sandbox, as demonstrated by printing process.env.
What is the Impact of CVE-2020-7710?
Successful exploitation may allow attackers to execute arbitrary code on the host system, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2020-7710?
Exploitation is relatively simple, requiring the ability to supply a malicious script to the safe-eval function. There are no authentication prerequisites; if an application uses safe-eval to process untrusted input, it is vulnerable. This is typically a remote attack if the vulnerable safe-eval call processes user input from a network request. The primary prerequisite is that the application uses the safe-eval package to evaluate attacker-controlled code. The provided Proof of Concept (PoC) code demonstrates a clear attack vector. The risk of exploitation is high if safe-eval is used for user-provided scripts where security is critical.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7710?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-SAFEEVAL-608076
- https://github.com/hacksparrow/safe-eval/issues/19
- https://snyk.io/vuln/SNYK-JS-SAFEEVAL-608076
- https://www.npmjs.com/advisories/1322
- https://github.com/hacksparrow/safe-eval/issues/19
- https://nvd.nist.gov/vuln/detail/CVE-2020-7710
- https://osv.dev/vulnerability/GHSA-hrpq-r399-whgw
What are Similar Vulnerabilities to CVE-2020-7710?
Similar Vulnerabilities: CVE-2019-10777 , CVE-2020-15105 , CVE-2021-23588 , CVE-2021-3807 , CVE-2022-24792
