CVE-2023-26121 identifies a Prototype Pollution vulnerability within the safe-eval package. This flaw allows attackers to inject malicious properties into the global Object.prototype, impacting all objects in the JavaScript environment. Versions of safe-eval prior to 0.4.2 are affected. Applying an upgrade to a patched version is the recommended remediation.
影响与攻击场景翻译中…
Prototype Pollution vulnerabilities, like CVE-2023-26121, can have severe consequences. An attacker exploiting this flaw can modify the behavior of existing JavaScript code by injecting properties into Object.prototype. This can lead to unexpected application behavior, data corruption, and, in some cases, Remote Code Execution (RCE). The safeEval function, specifically, is vulnerable due to insufficient sanitization of input parameters. Successful exploitation could allow an attacker to bypass security controls, escalate privileges, or compromise the entire application.
利用背景翻译中…
CVE-2023-26121 was published on April 11, 2023. There is currently no indication of active exploitation in the wild, but the vulnerability's critical severity and ease of exploitation warrant immediate attention. The vulnerability is not listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public Proof-of-Concept (POC) code is likely to emerge given the vulnerability's nature and severity.
威胁情报
漏洞利用状态
EPSS
0.10% (28% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 高 — 完全丧失机密性,攻击者可读取所有数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
时间线
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2023-26121 is to upgrade to version 0.4.3 or later of the safe-eval package. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data passed to the safeEval function. While a direct workaround is difficult, restricting the permissions of the application and employing a Web Application Firewall (WAF) with prototype pollution detection rules can help reduce the attack surface. Regularly scan dependencies for known vulnerabilities using tools like npm audit or yarn audit.
修复方法翻译中…
暂无官方补丁。请查找临时解决方案或持续关注更新。
常见问题翻译中…
What is CVE-2023-26121 — Prototype Pollution in safe-eval?
CVE-2023-26121 is a critical Prototype Pollution vulnerability in the safe-eval package, affecting versions up to 0.4.2. It allows attackers to manipulate object properties, potentially leading to Remote Code Execution (RCE).
Am I affected by CVE-2023-26121 in safe-eval?
If your project uses safe-eval version 0.4.2 or earlier, you are vulnerable. Check your project's dependencies using npm list safe-eval or yarn list safe-eval.
How do I fix CVE-2023-26121 in safe-eval?
Upgrade to version 0.4.3 or later of the safe-eval package. Use npm install safe-eval@latest or yarn add safe-eval@latest to update.
Is CVE-2023-26121 being actively exploited?
There is currently no confirmed active exploitation in the wild, but the vulnerability's severity warrants immediate remediation to prevent potential attacks.
Where can I find the official safe-eval advisory for CVE-2023-26121?
Refer to the package's advisory on the npm registry: [https://www.npmjs.com/advisories/1738](https://www.npmjs.com/advisories/1738)
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...