Beware of Prototype Pollution Vulnerability in safe-eval Package

CVECVE-2023-26121
CVSScvssV3_1: 7.5
SourceCVE-2023-26121

The popular Node.js package safe-eval, which is used to safely evaluate JavaScript code, is vulnerable to a prototype pollution attack.

Prototype pollution refers to objects being able to modify other objects from the same prototype chain. By polluting the prototype chain, an attacker could extend properties and methods to the Object prototype, allowing them to add or modify existing properties. This can lead to privilege escalation attacks.

In safe-eval, the safeEval function does not properly sanitize user-provided content passed to it. An attacker could craft a payload that pollutes the prototype, potentially adding dangerous properties or methods. This would compromise security by enabling the execution of otherwise prohibited operations.

If you use safe-eval in your Node.js application, you should upgrade to version 1.1.1 or higher which is not affected. It’s also recommended to review your code and ensure user input is sanitized before using it in safeEval. Running the latest version of Node.js can help mitigate risks from other prototype pollution vulnerabilities too.

Staying on top of package updates and following security best practices like input validation are important steps to help prevent attacks like prototype pollution from impacting your applications.

References