High severity8.8NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026
CVE-2017-1001004
CVE-2017-1001004
Description
typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
typed-functionnpm | < 0.10.6 | 0.10.6 |
Affected products
1- Range: 0.10.6
Patches
16478ef4f2c3fFixed a security issue allowing to execute aritrary JavaScript code via a specially prepared function name of a typed function
3 files changed · +30 −4
HISTORY.md+6 −0 modified@@ -1,6 +1,12 @@ # History +## not yet released, version 0.10.6 + +- Fixed a security issue allowing to execute aritrary JavaScript code via a + specially prepared function name of a typed function. Thanks Masato Kinugawa. + + ## 2016-11-18, version 0.10.5 - Fixed the use of multi-layered use of `any` type. See #8.
test/security.test.js+17 −0 added@@ -0,0 +1,17 @@ +var assert = require('assert'); +var typed = require('../typed-function'); + +describe('security', function () { + + it ('should not allow bad code in the function name', function () { + // simple example: + // var fn = typed("(){}+console.log('hacked...');function a", { + // "": function () {} + // }); + + // example resulting in throwing an error + var fn = typed("(){}+(function(){throw new Error('Hacked... should not have executed this function!!!')})();function a", { + "": function () {} + }); + }) +})
typed-function.js+7 −4 modified@@ -1096,12 +1096,15 @@ //console.log(util.inspect(node, { depth: null })); // generate code for the typed function + // safeName is a conservative replacement of characters + // to prevend being able to inject JS code at the place of the function name + // the name is useful for stack trackes therefore we want have it there var code = []; - var _name = name || ''; - var _args = getArgs(maxParams(_signatures)); - code.push('function ' + _name + '(' + _args.join(', ') + ') {'); + var safeName = (name || '').replace(/[^a-zA-Z0-9_$]/g, '_') + var args = getArgs(maxParams(_signatures)); + code.push('function ' + safeName + '(' + args.join(', ') + ') {'); code.push(' "use strict";'); - code.push(' var name = \'' + _name + '\';'); + code.push(' var name = ' + JSON.stringify(name || '') + ';'); code.push(node.toCode(refs, ' ', false)); code.push('}');
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3qh4-r86r-grvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1001004ghsaADVISORY
- github.com/josdejong/typed-function/blob/master/HISTORY.mdnvdWEB
- github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fenvdWEB
- github.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6feghsaWEB
- snyk.io/vuln/SNYK-JS-TYPEDFUNCTION-174139ghsaWEB
- www.npmjs.com/advisories/819ghsaWEB
News mentions
0No linked articles in our index yet.