Wiz
Vulnerability DatabaseCVE-2024-40453

CVE-2024-40453
JavaScript vulnerability analysis and mitigation

Overview

A code injection vulnerability was discovered in squirrellyjs squirrelly version 9.0.0, which was fixed in version 9.0.1. The vulnerability exists in the component options.varName parameter and has been assigned CVE-2024-40453. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

Technical details

The vulnerability exists in the src/compile-string.ts file where the env.varName parameter (passed as options to the render function) is not properly sanitized. The vulnerability occurs in the Function constructor where options.varName is passed as a parameter without validation. This allows for code injection through JavaScript's destructuring syntax in function parameters (Exploit).

Impact

The vulnerability allows attackers to execute arbitrary code on affected systems through remote code execution (RCE). This can be achieved by injecting malicious JavaScript code through the options.varName parameter, potentially leading to complete system compromise (Exploit).

Mitigation and workarounds

Users should upgrade to squirrelly version 9.0.1 or later which contains the fix for this vulnerability. The fix was merged on July 2, 2024, and released in version 9.1.0 (GitHub PR).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo