You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected by this project redis/node-redis is vulnerable to Incomplete List of Unallowed Inputs when using plugins that rely on internal Babel path.evaluate() or path.evaluateTruthy() methods.
Of course, the payload can be adapted to do anything, such as exfiltrate data or spawn a reverse shell. The source code of babel-traverse/src/path/evaluation.ts prior to the fix is archived here
/** * Walk the input `node` and statically evaluate it. * * Returns an object in the form `{ confident, value, deopt }`. `confident` * indicates whether or not we had to drop out of evaluating the expression * because of hitting an unknown node that we couldn't confidently find the * value of, in which case `deopt` is the path of said node. * * Example: * * t.evaluate(parse("5 + 5")) // { confident: true, value: 10 } * t.evaluate(parse("!true")) // { confident: true, value: false } * t.evaluate(parse("foo + foo")) // { confident: false, value: undefined, deopt: NodePath } * */exportfunctionevaluate(this: NodePath): {
confident: boolean;
value: any;deopt?: NodePath;}{conststate: State={confident: true,deoptPath: null,seen: newMap(),};letvalue=evaluateCached(this,state);if(!state.confident)value=undefined;return{confident: state.confident,deopt: state.deoptPath,value: value,};}
Description
Affected by this project
redis/node-redis
is vulnerable to Incomplete List of Unallowed Inputs when using plugins that rely on internal Babelpath.evaluate()
orpath.evaluateTruthy()
methods.Proof of Concept
Of course, the payload can be adapted to do anything, such as exfiltrate data or spawn a reverse shell. The source code of
babel-traverse/src/path/evaluation.ts
prior to the fix is archived hereCWE-184
CWE-697
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
PULL Request
#2756
Redis Server Version
4.6.13
Node Redis Version
No response
Platform
No response
Logs
No response
The text was updated successfully, but these errors were encountered: