Platform
nodejs
Component
reduce-css-calc
Fixed in
1.2.5
CVE-2016-10548 is a critical remote code execution (RCE) vulnerability affecting the reduce-css-calc Node.js package. The vulnerability stems from the package passing user-supplied input directly to the eval function, enabling attackers to execute arbitrary code on the server or inject cross-site scripting (XSS) into the browser. This impacts versions prior to 1.2.5, and a fix is available in version 1.2.5.
This vulnerability is particularly dangerous because it allows for complete control over the affected system. An attacker can inject malicious code into the eval function, leading to arbitrary code execution on the server hosting the Node.js application. This could result in data breaches, system compromise, and complete takeover of the server. On the client-side, the vulnerability can be exploited to inject malicious JavaScript code, leading to XSS attacks and potentially stealing user credentials or redirecting users to malicious websites. The proof of concept demonstrates the ability to read files from the filesystem, highlighting the severity of the risk.
CVE-2016-10548 has been publicly disclosed and a proof-of-concept (PoC) is available, increasing the likelihood of exploitation. While there are no confirmed reports of active exploitation at the time of writing, the ease of exploitation and the critical severity of the vulnerability make it a high-priority risk. It is not listed on the CISA KEV catalog as of this writing.
Exploit Status
EPSS
0.43% (62% percentile)
The primary mitigation for CVE-2016-10548 is to immediately upgrade the reduce-css-calc package to version 1.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily isolating the affected application behind a Web Application Firewall (WAF) that can filter potentially malicious input to the calc function. Carefully review any user input that is passed to the reduce-css-calc package and sanitize it to prevent malicious code injection. After upgrading, confirm the fix by attempting to execute the provided proof-of-concept code; it should now fail to execute.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-10548 is a critical remote code execution vulnerability in the reduce-css-calc Node.js package, allowing attackers to execute arbitrary code due to unsanitized user input passed to the eval function.
You are affected if your Node.js application uses reduce-css-calc versions prior to 1.2.5. Check your project dependencies to determine if you are vulnerable.
Upgrade the reduce-css-calc package to version 1.2.5 or later using npm or yarn. If immediate upgrade is not possible, implement temporary WAF rules to filter malicious input.
While there are no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation make it a high-priority risk.
Refer to the npm advisory and the project's GitHub repository for details: [https://www.npmjs.com/advisories/621](https://www.npmjs.com/advisories/621)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.