प्लेटफ़ॉर्म
nodejs
घटक
reduce-css-calc
में ठीक किया गया
1.2.5
CVE-2016-10548 is a critical remote code execution (RCE) vulnerability affecting the reduce-css-calc Node.js package. The vulnerability stems from the package passing user-supplied input directly to the eval function, enabling attackers to execute arbitrary code on the server or inject cross-site scripting (XSS) into the browser. This impacts versions prior to 1.2.5, and a fix is available in version 1.2.5.
This vulnerability is particularly dangerous because it allows for complete control over the affected system. An attacker can inject malicious code into the eval function, leading to arbitrary code execution on the server hosting the Node.js application. This could result in data breaches, system compromise, and complete takeover of the server. On the client-side, the vulnerability can be exploited to inject malicious JavaScript code, leading to XSS attacks and potentially stealing user credentials or redirecting users to malicious websites. The proof of concept demonstrates the ability to read files from the filesystem, highlighting the severity of the risk.
CVE-2016-10548 has been publicly disclosed and a proof-of-concept (PoC) is available, increasing the likelihood of exploitation. While there are no confirmed reports of active exploitation at the time of writing, the ease of exploitation and the critical severity of the vulnerability make it a high-priority risk. It is not listed on the CISA KEV catalog as of this writing.
Applications built with Node.js that utilize the reduce-css-calc package, particularly those that process user-supplied CSS or accept CSS input from external sources, are at significant risk. Shared hosting environments where multiple applications share the same Node.js instance are also particularly vulnerable.
• nodejs / supply-chain:
find node_modules -name "reduce-css-calc" -print0 | xargs -0 npm list --depth=0• nodejs / supply-chain:
npm ls reduce-css-calc• generic web:
Inspect application code for usage of reduce-css-calc and any unsanitized user input passed to it.
discovery
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.43% (62% शतमक)
The primary mitigation for CVE-2016-10548 is to immediately upgrade the reduce-css-calc package to version 1.2.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily isolating the affected application behind a Web Application Firewall (WAF) that can filter potentially malicious input to the calc function. Carefully review any user input that is passed to the reduce-css-calc package and sanitize it to prevent malicious code injection. After upgrading, confirm the fix by attempting to execute the provided proof-of-concept code; it should now fail to execute.
कोई आधिकारिक पैच उपलब्ध नहीं है। वैकल्पिक समाधान खोजें या अपडेट की निगरानी करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2016-10548 is a critical remote code execution vulnerability in the reduce-css-calc Node.js package, allowing attackers to execute arbitrary code due to unsanitized user input passed to the eval function.
You are affected if your Node.js application uses reduce-css-calc versions prior to 1.2.5. Check your project dependencies to determine if you are vulnerable.
Upgrade the reduce-css-calc package to version 1.2.5 or later using npm or yarn. If immediate upgrade is not possible, implement temporary WAF rules to filter malicious input.
While there are no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation make it a high-priority risk.
Refer to the npm advisory and the project's GitHub repository for details: [https://www.npmjs.com/advisories/621](https://www.npmjs.com/advisories/621)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।