CVE-2022-25904
Prototype Pollution vulnerability in safe-eval (npm)
What is CVE-2022-25904 About?
All versions of the `safe-eval` package are vulnerable to Prototype Pollution. This allows an attacker to add or modify properties of `Object.prototype`, which can have widespread impacts. Exploiting this vulnerability is relatively easy if the `safeEval` function is used with attacker-controlled input.
Affected Software
Technical Details
The vulnerability in the safe-eval package stems from its use of the vm module in Node.js, specifically within the safeEval function. Despite its name, safeEval can be tricked into interpreting attacker-controlled input in a way that modifies Object.prototype. An attacker can craft a malicious JavaScript string that, when evaluated by safeEval, leverages the context of the vm module to access and manipulate Object.prototype. By adding or modifying properties on Object.prototype, an attacker can then affect all objects in the application, leading to various issues such as property injection, arbitrary code execution, or denial of service, depending on how the application uses JavaScript objects.
What is the Impact of CVE-2022-25904?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, potentially leading to denial of service, arbitrary code execution, or information disclosure.
What is the Exploitability of CVE-2022-25904?
Exploitation of this Prototype Pollution vulnerability is of moderate complexity. The primary prerequisite is an application using the safe-eval package and passing attacker-controlled input to the safeEval function. No specific authentication or privilege is required for the exploitation itself, as it targets the application's logic. The attack is remote, involving the submission of specially crafted input data to points where safeEval is used. Key risk factors include any application that evaluates untrusted user input with safe-eval, as this directly exposes the vulnerability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25904?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701
- https://github.com/hacksparrow/safe-eval
- https://nvd.nist.gov/vuln/detail/CVE-2022-25904
- https://github.com/hacksparrow/safe-eval/issues/26
- https://github.com/hacksparrow/safe-eval/issues/26
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701
- https://osv.dev/vulnerability/GHSA-33vh-7x8q-mg35
What are Similar Vulnerabilities to CVE-2022-25904?
Similar Vulnerabilities: CVE-2020-28281 , CVE-2020-7760 , CVE-2020-15105 , CVE-2020-28282 , CVE-2020-7712
