Lightning Flow Scanner Arbitrary JavaScript Execution Vulnerability in APIVersion Rule
Vulnerability
A vulnerability in Lightning Flow Scanner versions through 6.10.5 allows for arbitrary JavaScript execution. This issue arises in the APIVersion rule, which improperly uses new Function() to evaluate expression strings. An attacker can exploit this by injecting a malicious expression into the rule configuration or through a crafted flow metadata file. The execution occurs during the scanning process, potentially compromising developer machines, continuous integration runners, or editor environments.
Impact
Exploitation of this vulnerability allows for arbitrary JavaScript execution, which could lead to code injection or execution of malicious scripts in the user's environment.
Reproduction
To reproduce this vulnerability, create a flow metadata file that includes a malicious expression targeting the APIVersion rule. When this file is scanned using Lightning Flow Scanner versions through 6.10.5, the injected JavaScript will be executed, demonstrating the vulnerability.
Remediation
Users can update to Lightning Flow Scanner version 6.10.6 or later, or version 2.4.4 of the VS Code extension, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.