logo

Database

Security controls bypass or absence In realms-shim

Description

Sandbox Breakout in realms-shim Versions of realms-shim prior to 1.2.1 are vulnerable to a Sandbox Breakout. The Realms evaluation function has an option to apply Babel-like transformations to the source code before it reaches the evaluator. One portion of this transform pipeline exposed a primal-Realm object to the rewriting function. Confined code which used the evaluator itself could provide a malicious rewriter function that captured this object, and use it to breach the sandbox.

Recommendation

Upgrade to version 1.2.1 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-7cg8-pq9v-x98q2. GCVE-GHSA-7cg8-pq9v-x98q

References

1. https://github.com/Agoric/realms-shim/security/advisories/GHSA-7cg8-pq9v-x98q2. https://www.npmjs.com/advisories/1218

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.