Sandbox Escape

Vulnerability

Overview safe-eval is a Node.js package intended to provide a safer alternative to eval() by sandboxing code execution. However, CVE-2020-7710 reveals that the sandbox is insufficiently isolated. The root cause lies in the package's failure to properly restrict access to the Error object's prototype chain and the stack property, enabling an attacker to manipulate the constructor chain and escape the sandbox [1][2].

Exploitation

Details An attacker can exploit this by supplying a crafted function that creates an Error object, sets its __proto__ to null, and overrides the stack property with a custom match method. When safe-eval attempts to access the error's stack, the match method is invoked, throwing an exception that captures the outer constructor's constructor. This chain leads to the process object and ultimately to child_process.execSync, allowing arbitrary command execution [2][3]. No authentication is required; the attacker only needs to provide untrusted input to the safeEval() function.

Impact

Successful exploitation grants the attacker arbitrary command execution on the host machine with the privileges of the Node.js process. This can result in full system compromise, data exfiltration, or lateral movement within the network [1][2].

Mitigation

Status As of the advisory publication date (August 2020), there is no fixed version for safe-eval. The package appears unmaintained, and users are advised to avoid using it with untrusted input. Alternative sandboxing libraries or isolation techniques should be considered. A proof-of-concept exploit is publicly available [2][3].