Login Sign Up

CVE-2017-16226

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2017-16226 is a critical remote code execution vulnerability in the static-eval npm module. It allows attackers to execute arbitrary JavaScript code by exploiting improper input validation that permits access to the global function constructor. Any application using vulnerable versions of static-eval to evaluate untrusted user input is affected.

💻 Affected Systems

Products:
  • static-eval npm module
Versions: Versions before 2.0.0
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when evaluating untrusted user input. Applications that use static-eval with trusted data only are not affected.

📦 What is this software?

Static Eval by Static Eval Project

View all CVEs affecting Static Eval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the application server, allowing data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to data exfiltration, cryptocurrency mining, or participation in botnets.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially reduced to denial of service.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward once an attacker can submit malicious input to the vulnerable evaluation function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0 and later

Vendor Advisory: https://github.com/substack/static-eval/pull/18

Restart Required: Yes

Instructions:

1. Update package.json to require static-eval version 2.0.0 or higher. 2. Run 'npm update static-eval'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject any expressions containing dangerous patterns like 'constructor' or 'Function'.

Sandbox evaluation environment

all

Run static-eval in a sandboxed environment using vm2 or similar modules to isolate code execution.

🧯 If You Can't Patch

  • Disable or remove functionality that uses static-eval with untrusted user input
  • Implement network segmentation and strict firewall rules to limit access to vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list static-eval' to see installed version. If version is below 2.0.0, you are vulnerable.

Check Version:

npm list static-eval

Verify Fix Applied:

After updating, verify with 'npm list static-eval' that version 2.0.0 or higher is installed and test that malicious expressions no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawns from Node.js applications
  • Unexpected network connections from application servers
  • Error logs showing failed expression evaluations

Network Indicators:

  • Outbound connections to suspicious IPs from application servers
  • Unusual data exfiltration patterns

SIEM Query:

source="application.logs" AND ("static-eval" OR "constructor" OR "Function") AND status="error"

📊 Metadata

CVE ID: CVE-2017-16226
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: June 7, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-16226, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2019-11708 10.0

This vulnerability allows a compromised child process in Firefox/Thunderbird to trick the parent pro...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)