VYPR
← All advisories
Critical severityOSV Advisory· Published Feb 25, 2019· Updated Aug 4, 2024

CVE-2019-9115

CVE-2019-9115

Description

Unsafe eval in irisnet-crypto before 1.1.7 allows code execution via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unsafe eval in irisnet-crypto before 1.1.7 allows code execution via crafted input.

Vulnerability

The util/utils.js file in irisnet-crypto versions prior to 1.1.7 uses eval() in an unsafe manner, allowing arbitrary code execution [1]. This affects all users of the library who rely on the affected code path.

Exploitation

An attacker can provide specially crafted input that is passed to the eval() function without sanitization. No authentication or special network position is required if the input is user-controlled [2].

Impact

Successful exploitation leads to arbitrary code execution in the context of the application using the library, potentially compromising the entire system [1].

Mitigation

Upgrade to irisnet-crypto version 1.1.7 or later, where the unsafe eval usage has been removed [1]. No workaround is available.

References
  1. NVD - CVE-2019-9115
  2. utils.js security

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
irisnet-cryptonpm
< 1.1.71.1.7

Affected products

2

Patches

1
7ea0e65ece9c

solve issue: https://github.com/irisnet/irisnet-crypto/issues/60

https://github.com/dreamer-zq/irisnet-cryptozhangzhiqiangJan 18, 2019via ghsa
commit
2 files changed · +10 5
  • test/crypto_test.js+3 3 modified
    @@ -36,7 +36,7 @@ describe('CryPto test', function () {
     });
 
 
-    let chain_id = "irishub-test";
+    let chain_id = "rainbow-dev";
     let from = "faa1ljemm0yznz58qxxs8xyak7fashcfxf5lssn6jm";
     let gas = 200000;
     let account_number = 4;
@@ -53,7 +53,7 @@ describe('CryPto test', function () {
                 chain_id: chain_id,
                 from: from,
                 account_number: account_number,
-                sequence:0 ,
+                sequence:21 ,
                 fees: fees,
                 gas: gas,
                 memo: memo,
@@ -77,7 +77,7 @@ describe('CryPto test', function () {
                 chain_id: chain_id,
                 from: from,
                 account_number: account_number,
-                sequence:1 ,
+                sequence:15 ,
                 fees: fees,
                 gas: gas,
                 memo: memo,
  • util/utils.js+7 2 modified
    @@ -18,7 +18,7 @@ module.exports = class Utils {
                 } else if (obj[k] != null && typeof(obj[k]) === "object") {
                     tmp[k] = sort(obj[k]);
                 } else if (obj[k] != null && typeof(obj[k]) === "function") {
-                    tmp[k] = eval(obj[k].toString())
+                    tmp[k] = evil(obj[k].toString())
                 } else {
                     tmp[k] = new String(obj[k]).toString();
                 }
@@ -60,4 +60,9 @@ module.exports = class Utils {
             return str.toString()
         }
     }
-};
\ No newline at end of file
+};
+
+function evil(fn) {
+    let Fn = Function;
+    return new Fn('return ' + fn)();
+}
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.