Miggo Logo
Miggo Vulnerability Database
CVE-2020-7677

CVE-2020-7677: thenify before 3.3.1 made use of unsafe calls to `eval`.

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-7677
GHSA ID
GHSA-29xr-v42j-r956
EPSS Score
0.39186%
CWE
CWE-78
Published
7/18/2022
Updated
1/23/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
thenifynpm< 3.3.13.3.1
org.webjars.npm:thenifymaven< 3.3.13.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsafe eval() usage in both the thenify function and its withCallback method. The pre-patch code constructed a function string in createWrapper and executed it via eval(), using the original function's name ($$fn$$.name) without sanitization. Since attackers could manipulate the function name (e.g., via Object.defineProperty), this allowed arbitrary code injection. The commit 0d94a24 removed eval() entirely, replacing it with direct function construction, confirming these were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t**ni*y prior to *.*.* m*** us* o* uns*** **lls to `*v*l`. Untrust** us*r input *oul* t*us l*** to *r*itr*ry *o** *x**ution on t** *ost. T** p*t** in v*rsion *.*.* r*mov*s **lls to `*v*l`.

Reasoning

T** vuln*r**ility st*mm** *rom uns*** *v*l() us*** in *ot* t** t**ni*y *un*tion *n* its wit***ll***k m*t*o*. T** pr*-p*t** *o** *onstru*t** * *un*tion strin* in *r**t*Wr*pp*r *n* *x**ut** it vi* *v*l(), usin* t** ori*in*l *un*tion's n*m* ($$__*n__$$.
CVE-2020-7677: thenify eval Code Injection RCE | Miggo