GMS-2020-411: Sandbox Breakout / Prototype Pollution in notevil

September 4, 2020 (updated October 1, 2021)

Versions of notevil are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object’s prototype.

Evaluating the payload try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()} add the polluted property to Function.

References

github.com/advisories/GHSA-9gxr-rhx6-4jgv
www.npmjs.com/advisories/1338

Detect and mitigate GMS-2020-411 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →