Safer-Eval library branded ‘harmful’ with no patch planned

An RCE vulnerability in the node.js module will not be fixed

A critical vulnerability in Safer-Eval runs the risk of impacting over 36,000 projects that are dependant on the node.js library, a software engineer has warned.

The bug – CVE-2019-10769 – could lead to a number of issues, including a sandbox bypass, cross-site scripting (XSS), or remote code execution (RCE), Jonathan Leitschuh, software engineer at Gradle, disclosed yesterday (December 9) over Twitter.

Over 36,000 projects use the vulnerable library, Leitschuh noted. All versions are impacted and according to a GitHub advisory published late last week, no patch has been issued.

Safer-Eval is a node.js library open sourced under the MIT license and designed as an alternative to the JS standard library’s eval function.

It is intended to evaluate JavaScript in a sandbox, allowing some expressions, while throwing others away in an effort to prevent XSS and RCE exploits.

As described by developer Robert Webb, the basic eval function is considered by some as “only one letter away from evil”. By including the eval function in a code base, he says, “you will be encouraging future developers to use it for bad purposes”.

YOU MIGHT ALSO LIKE The complete package: Everything you need to know about nmp security

On December 6, the package author published a warning to Safer-Eval users – of which there have been over 50,000 downloads during the past week from the code repository – that the module should be considered “harmful”.

“Before using this module, ask yourself if there are no better options than using Safer-Eval,” the advisory said.

“It is potentially better than the bad old eval() but has harmful potential”.

The same warning has been published on the Safer-Eval GitHub project page.

This likely relates to the recent release of proof-of-concept (PoC) exploit code able to abuse a critical Safer-Eval vulnerability.

In April, GitHub user XmiliaH also published PoC code able to cause a sandbox breakout in vm2 via the generation of a range error.

Once examined by XmiliaH, however, they branded the use of a range error as “overkill”, leading to a simpler PoC being written and published by the developer.

Earlier versions of Safer-Eval – 1.3.3 and below – were additionally found to be vulnerable to a sandbox bypass and RCE attack through malicious payloads able to tamper with constructor strings.

This vulnerability is tracked as CVE-2019-10759 and was made public in July.

In the absence of patch development for the new exploit, Safer-Eval has recommended vm2 as a substitute and has encouraged the public posting of exploits against the module in order to “help others to build a better sandbox”.