Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Security issue: node's VM module doesn't prevent you from accessing the node stdlib #5
Hey @SuperOP535 -- original reporter here :) I tried reproducing the issue with:
and it looks like safe-eval 0.4 fixes it. Not sure how the NPM advisories work, as it should probably be closed.
The new exploit (like the one reported by @odino) is fragile, and there are many trivial ways to break it, but in general any access by the eval-ed code to any object from the caller's realm (e.g., if any object is passed in via
I would advise using vm2 instead. (Please note that I have not audited the code of vm2, so can make no representations about its correctness—but at least its author appears to fully understand the issues.)