CVE-2023-26122

Vulnerability

Details

CVE-2023-26122 affects all versions of the safe-eval package. The vulnerability arises from improper input sanitization, enabling prototype pollution that bypasses the sandbox intended to prevent access to Node.js APIs [1]. The package relies on Node's vm module to execute code, but the insufficient filtering of object properties like __defineGetter__, stack, toLocaleString, propertyIsEnumerable.call, and valueOf allows attackers to manipulate the prototype chain and escape the sandbox [2].

Exploitation

An attacker can supply crafted JavaScript code to safe-eval that leverages the listed vulnerable functions to pollute the prototype of built-in objects. This exploitation requires the attacker to control the input string passed to safe-eval, typically as user-supplied data. No authentication is needed if the application exposes safe-eval to untrusted sources. Proof-of-concept code demonstrates that even version 0.4.1 (the latest) is exploitable via dynamic import and constructor chains to gain access to process and execute arbitrary commands [4].

Impact

Successful exploitation results in full remote code execution (RCE) within the Node.js environment, allowing the attacker to execute system commands, read/write files, or install malware. The sandbox is completely bypassed, granting the same privileges as the host application [1].

Mitigation

No official patch has been released; all versions of safe-eval are considered vulnerable. The maintainer advises using safe-eval only with trusted code and not exposing it to user-submitted data [3]. As a mitigation, developers should avoid using safe-eval altogether and consider alternatives that provide proper sandboxing, or restrict input to code from trusted sources only.