High Severity Security vulnerability with package

[charlieTheBotDev]

Issue picked up and reported in Snyk: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765

[SymbioticKilla]

@goto-bus-stop can it be fixed? Thanks!

[goto-bus-stop]

It's a false positive.

[andyedwardsibm]

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ...

var evaluate = require('static-eval');
var parse = require('esprima').parse;

var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"
var ast = parse(src).body[0].expression;
evaluate(ast)

... and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 has been raised for it

[goto-bus-stop]

I see, I thought it was the same as this: https://github.com/418sec/huntr/pull/1883. That PR had omitted the quotes.

It looks like the snyk one is more valid, but still, essentially expected behaviour as documented in our readme. https://github.com/browserify/static-eval#security

[cgonzalezp91]

This issue is also in NVD-CVE-2021-23334. It’s giving some hard times to other libraries, in my case, pdfmake, it’s a high vulnerability issue reported by npm and it’s being blocked by systems that handle this type of package.

Any workaround that we can use or possibly for a solution?

[goto-bus-stop]

i emailed snyk and they said they would revoke the CVE. i'm not sure how that works, so it might take a few days.

[cakenyo]

Any more info about the CVE revoke?

[SymbioticKilla]

Is already revoked. WhiteSource at least doesn't show it as CVE anymore.

[carnil]

@SymbioticKilla But I guess it was not officially asked for REJECT to the assigning CNA? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 the assigning CNA was "Snyk", so if the issue turns out to be a non-security issue and the CVE invalid the respective CNA would need to reject the entry.

[namtx]

Do we have any update?

[Garbee]

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071860

Snyk has updated their own system reflecting that this was deemed not an issue. However, it has yet to get up to the CVE database to get revoked/amended. I just tweeted at Snyk to see how long that process normally takes. I doubt I'll hear anything, but... Best way to seem to get in touch with something like this.

[snoopysecurity]

Hey @Garbee, thanks for raising this issue, yep i agree, anything going into evaluate should not be trusted and is not the responsibility of the maintainer sanitise user input. This was added by Snyk by mistake, apologies for the spam. I will revoke the CVE and mark any Snyk references as False positive. (Expect this change in the next 24 hours)

[alasdairhurst]

Doesn't look like the CVE database maintainers poll updates to existing issues that are revoked unfortunately :(

I sent a report last month for the CVE database and didn't hear back. maybe someone else will be luckier. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23334 you will need to post a request here asking for a CVE update and then asking the CVE to be revoked. https://cveform.mitre.org/

[snoopysecurity]

Hey, after contacting MITRE through multiple channels, CVE-2021-23334 has been marked as rejected/revoked. Hope this helps. This issue can be closed

[SymbioticKilla]

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit >
linebreak > brfs > static-module > static-eval

[leonardomaier]

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same problem here =(

[kmannislands]

For those commenting about failing npm/yarn audits suddenly today, I suspect this has to do with the background change to the npm advisories database which now points to the github advisories db: https://github.blog/2021-10-07-github-advisory-database-now-powers-npm-audit/

Not sure what to do with this info yet but an fyi @leonardomaier @SymbioticKilla

[JingBluestone]

npm audit from today =(

Critical Withdrawn: Arbitrary Code Execution in static-eval

Package static-eval

Patched in No patch available

Dependency of @amcharts/amcharts4

Path @amcharts/amcharts4 > pdfmake > svg-to-pdfkit > pdfkit > linebreak > brfs > static-module > static-eval

Same issue here also. Any update?

[goto-bus-stop]

this package is very stable and the only maintenance effort is in dealing with bogus security warnings. idk why npm doesn't just allow you to silence warnings that are clearly bullshit instead of forcing us to do useless work. i guess i'll email them about this one…

[DarthVitalus]

for folks who use auditjs: use whitelisting

1) just add a file auditjs.json to your folder, where you run auditjs command with the following content: { "ignore": [ { "id": "CVE-2021-23334", "reason": "any reason you want" } ] }

2) run audit command: npx auditjs ossi --whitelist /path/to/file/auditjs.json