CVE-2023-39532: 
JavaScript vulnerability analysis and mitigation

SES (Secure ECMAScript) is a JavaScript environment that allows safe execution of arbitrary programs in Compartments. A critical vulnerability was discovered affecting multiple versions (0.18.0-0.18.7, 0.17.0-0.17.1, 0.16.0-0.16.1, 0.15.0-0.15.24, 0.14.0-0.14.5, 0.13.0-0.13.5) where guest programs running inside a Compartment could gain unauthorized access to the host's dynamic import functionality (GitHub Advisory).

The vulnerability stems from a hole in the confinement of guest applications that allows access to the host's dynamic import functionality through a specific pattern using the spread operator: {...import(arbitraryModuleSpecifier)}. This bypass occurs because while SES previously censored direct import(specifier) calls and allowed object.import(specifier), the relaxation for the latter form inadvertently permitted import with the spread operator (GitHub Advisory).

The impact varies depending on the environment. In web or web extensions without proper Content-Security-Policy, attackers can issue HTTP requests for communication or code execution. In Node.js environments, attackers can access the Node.js module system and execute arbitrary code through data URLs. For XS worker environments, attackers can access the host's module system to the extent of its configuration (GitHub Advisory).

Several mitigation strategies are available: 1) For web applications, implementing a properly constrained Content-Security-Policy mitigates most threats. 2) For XS environments, building a binary that lacks runtime module loading capability through implementing fxFindModule in xsPlatform.c that calls fxRejectModuleFile provides complete mitigation. 3) For all affected versions, patches are available in versions 0.18.7, 0.17.1, 0.16.1, 0.15.24, 0.14.5, and 0.13.5 (GitHub Advisory).