CVE-2023-26121
Prototype Pollution vulnerability in safe-eval (npm)
What is CVE-2023-26121 About?
This vulnerability is a Prototype Pollution issue in the `safe-eval` package due to improper sanitization of its `content` parameter. This can lead to arbitrary property injection into JavaScript objects, potentially altering application logic or causing denial of service. It is relatively easy to exploit with specifically crafted input.
Affected Software
Technical Details
All versions of the safe-eval package are vulnerable to Prototype Pollution via the safeEval function. The vulnerability stems from improper sanitization of the content parameter passed to this function. An attacker can craft a malicious content string that includes specific syntax to manipulate the prototype chain of JavaScript objects within the sandboxed environment. This allows for the injection of arbitrary properties or modification of existing ones, potentially breaking out of the sandbox, altering application behavior in unexpected ways, or causing a denial of service. Despite the package's name suggesting 'safe' evaluation, the lack of robust sanitization enables this critical bypass.
What is the Impact of CVE-2023-26121?
Successful exploitation may allow attackers to inject arbitrary properties into JavaScript objects, leading to altered application behavior, remote code execution, or denial of service.
What is the Exploitability of CVE-2023-26121?
Exploitation involves providing specially crafted input as the content parameter to the safeEval function. The complexity of crafting the payload is low to moderate, depending on the desired impact (e.g., simple property injection vs. sandbox escape attempt). No explicit authentication or special privilege requirements are typically needed beyond the ability to supply input to the safeEval function. Exploitation is usually local to the application or via an application endpoint that processes user-controlled data. The primary risk factor is the application's use of safe-eval to process untrusted or user-supplied code/data, combined with the insufficient input sanitization, making it a critical vulnerability for applications relying on safe-eval for security boundaries.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26121?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-hcg3-56jf-x4vh
- https://github.com/hacksparrow/safe-eval/issues/28
- https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9
- https://github.com/hacksparrow/safe-eval
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373062
- https://nvd.nist.gov/vuln/detail/CVE-2023-26121
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373062
- https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9
- https://github.com/hacksparrow/safe-eval/issues/28
What are Similar Vulnerabilities to CVE-2023-26121?
Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7798 , CVE-2020-7798 , CVE-2021-23389 , CVE-2020-7712
