7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7777

GHSA ID

GHSA-vm64-cfqx-3698

EPSS Score

0.7577%

CWE

CWE-94

Published

2/10/2022

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7777

CVE-2020-7777: Code Injection in jsen

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so it is assumed that this is applicable. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.

PoC

const jsen = require('jsen');
let schema = JSON.parse(
{ &quot;type&quot;: &quot;object&quot;, &quot;properties&quot;: { &quot;username&quot;: { &quot;type&quot;: &quot;string&quot; } }, &quot;required&quot;: [&quot;\\&quot;+process.mainModule.require(\&#39;child_process\&#39;).execSync(\&#39;touch malicious\&#39;)+\\&quot;&quot;] }
);

const validate = jsen(schema); validate({});

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7777

GHSA ID

GHSA-vm64-cfqx-3698

EPSS Score

0.7577%

CWE

CWE-94

Published

2/10/2022

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jsen	npm	<= 0.6.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability occurs in the processing of the 'required' field in JSON schemas. The code responsible for handling the 'required' keyword (keywords.required function) dynamically generates validation checks by concatenating user-controlled schema values into executable code strings. The PoC demonstrates that malicious values in the 'required' array (containing JavaScript code) get directly embedded into the generated validation function. This unsanitized code is then executed via Function.apply(), leading to arbitrary code execution. The code at line 875 of jsen.js (referenced in advisories) shows the pattern of building executable strings from schema values without proper sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts *ll v*rsions o* p**k*** js*n. I* *n *tt**k*r **n *ontrol t** s***m* *il*, it *oul* run *r*itr*ry J*v*S*ript *o** on t** vi*tim m***in*. In t** mo*ul* **s*ription *n* R***M* *il* t**r* is no m*ntion **out t** risks o* untrust** s***m* *il

Reasoning

T** vuln*r**ility o**urs in t** pro**ssin* o* t** 'r*quir**' *i*l* in JSON s***m*s. T** *o** r*sponsi*l* *or **n*lin* t** 'r*quir**' k*ywor* (`k*ywor*s.r*quir**` *un*tion) *yn*mi**lly **n*r*t*s v*li**tion ****ks *y *on**t*n*tin* us*r-*ontroll** s***m

7.2

Basic Information

Concerned about an active attack path?

CVE-2020-7777: Code Injection in jsen

PoC

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI