CVE-2016-10548

Vulnerability

The reduce-css-calc npm package before version 1.2.5 contains an arbitrary code execution flaw [1][2]. The vulnerability arises because user-controlled CSS input passed to the calc function is not properly sanitized before being evaluated. An attacker can inject JavaScript expressions that the module will execute, leveraging Node.js globals like Buffer and global to access system functions [3].

Exploitation

An attacker only needs to supply specially crafted CSS input to the calc function [3]. No authentication or special privileges are required if the application passes user-supplied CSS to this module. The provided proof-of-concept demonstrates that a call such as reduceCSSCalc(calc( (Buffer(10000)))) will execute code [3]. The attacker can chain access to require('fs') through global['fs'] to call readFileSync and other system functions [1][2][3].

Impact

Successful exploitation leads to full arbitrary code execution in the context of the application [1][2]. On the client side, this results in cross-site scripting (XSS). On the server side, the attacker can perform arbitrary code injection, including reading sensitive files, modifying data, or executing system commands [2][3]. The impact is critical, with CVSS base score of 9.8 [1].

Mitigation

Users should upgrade to reduce-css-calc version 1.2.5 or later [2]. The fix was released in a version that properly sanitizes input to prevent code evaluation. No workaround is available if upgrading is not possible; the package should not be used with untrusted CSS input. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.