Issues in plugin feature can leave users at risk

Flaw in preprocessor language Less.js causes website to leak AWS secret keys

A vulnerability in popular preprocessor language Less.js could be exploited to achieve remote code execution (RCE) against websites that allow users to input Less.js code, researchers have warned.

Less.js transpiles to valid CSS code and is used to aid the writing of CSS for websites.

The Less.js library supports plugins which can be included directly in the Less code from a remote source using the @plugin syntax.

Plugins are written in JavaScript and when the Less code is interpreted, any included plugins will execute.

Read more of the latest news about security vulnerabilities

It is this feature that can leave a user vulnerable to remote attack, researchers from Canadian infosec firm Software Secured detailed in a blog post.

“This can lead to two outcomes depending on the context of the Less processor,” they wrote.

If the Less code is processed on the client side, it leads to cross-site scripting (XSS) – but processed on the server-side it leads to RCE.

All versions of Less that support the @plugin syntax are vulnerable, the researchers added.

Real world examples

The blog post contains a proof-of-concept and example of how the plugin syntax can be exploited in the real world.

Researchers looked at, a popular website for creating web code snippets that supports standard languages plus Less.js.

They tried their PoCs against the site and were able to “leak their AWS secret keys and run arbitrary commands inside their AWS Lambdas”.

The vulnerability was reported to, which patched the bug.

Certain conditions

Speaking to The Daily Swig, Jeremy Buis, who authored the blog post, said the vulnerability requires “certain conditions” to be successful.

“An example vulnerable scenario might be a feature that accepts custom styling via Less code from a user,” Buis said. “Once in a vulnerable configuration, it is straightforward to exploit the application.”

Buis said as far as he knows, Less has not patched the bug. “The backtick behaviour has been known for a while and there is configuration to mitigate in recent versions,” Buis added.

“The plugin and @import (inline) behaviour hasn’t been written about before as far as we can tell. We reached out to the maintainers over a year ago where the bugs were acknowledged.”

Buis advised Less.js users to mitigate the risks by considering the following. “Instead of Less code, allow regular CSS use instead,” he said.

“If Less support is required, then transpile the Less code on the client-side to avoid the threat of SSRF and RCE attacks.

“To mitigate the threat of XSS, update to a recent version where JavaScript based backtick execution is turned off by default and fork the Less library and remove the `@plugin` syntax support.”

YOU MAY ALSO LIKE Dell Wyse Management Suite subject to database exposure, session hijacking