expr-eval Prototype Pollution Vulnerability Allowing Arbitrary Code Execution

A prototype pollution vulnerability has been identified in the npm package 'expr-eval', specifically in versions through 2.0.2. This vulnerability allows an attacker with access to the 'expr-eval' interface to manipulate the JavaScript prototype inheritance model, potentially leading to arbitrary code execution. The issue arises from the package's handling of expressions, which can be exploited to define properties on the prototype, a form of attack known as prototype pollution. Once the prototype is polluted, it can be used to execute arbitrary code, especially in environments like Node.js where such execution is possible.

Impact

Exploitation of this vulnerability allows for prototype pollution, which can lead to arbitrary code execution in the context where the vulnerable package is used.

Reproduction

To reproduce this vulnerability, use 'expr-eval' version 2.0.2 or earlier. The vulnerability can be triggered by parsing and evaluating an expression that assigns a value to a property on the prototype, such as 'constructor', 'prototype', or '__proto__'. This can be done using the 'Object.assign' method to transfer the property to an object, effectively polluting its prototype. Once the prototype is polluted, the attacker can execute arbitrary code by, for example, using the 'child_process' module to run commands.

Remediation

Users can upgrade to 'expr-eval-fork', a patched version of the original package, to address this vulnerability.