pdfme Sandbox Escape Vulnerability Allowing XSS and Prototype Pollution
Vulnerability
A vulnerability in the expression evaluation feature of pdfme versions 5.2.0 through 5.4.0 allows for sandbox escape, leading to cross-site scripting (XSS) and prototype pollution attacks. This issue has been addressed in version 5.4.1.
Impact
Exploitation of this vulnerability allows for arbitrary JavaScript code execution, bypassing the application's security sandbox. This could lead to XSS attacks, where an attacker could execute scripts in the context of the user's session, and prototype pollution, which could manipulate the behavior of objects in JavaScript.
Reproduction
To reproduce this vulnerability, load a template in pdfme that includes a payload exploiting the expression evaluator's access to prototype methods. The payload can be crafted to execute arbitrary JavaScript code, such as using the Function constructor to execute `alert(location)`. This can be done by accessing prototype pollution methods through Object.assign, polluting the prototype chain, and then using the polluted prototype to execute the injected code.
Remediation
Users can upgrade to pdfme version 5.4.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.