If you build websites or apps, you have probably applied open-source tools to speed up tasks. They are a time-saver, right? However, those same open-source tools can introduce significant security vulnerabilities. Just look at expr-eval, a well-known JavaScript library that thousands of developers use.
Recently, security researchers identified a critical remote code execution (RCE) vulnerability in the expr-eval library. In other terms, this flaw could allow an attacker to execute their own code on your computer.
The library is very popular. It has over 3 million downloads a month, so many applications use it. Due to its popularity, researchers discovered that hackers can take advantage of expr-eval and extend it beyond math.
If a website or app uses expr-eval for user input and the input may include a form or API a hacker can use expr-eval to send an an expression with bad code embedded in it when app evaluates it :
The importance of this situation is the responsibility we all should have to keep an eye on open-source tools. They are amazing tools, however, anyone can create or modify them — including errors like this one!
If you are using JavaScript libraries, stay responsible — make checking for updates part of your coding routine, and just be aware. A small bug in a math library like expr-eval could lead to bigger issues if it goes unaddressed.
So the next time you are coding, just keep in the back of your mind that even a simple little math library can harness its chaotic potential if completely unpatched. Be responsible and always check for updates!
Recently, security researchers identified a critical remote code execution (RCE) vulnerability in the expr-eval library. In other terms, this flaw could allow an attacker to execute their own code on your computer.
What Does expr-eval Do?
The expr-eval library allows applications to evaluate mathematical expressions in a safe way. Instead of writing out complex code, users can type in a short expression, such as 2 + 3 * x, and the library would evaluate this formula on the behalf of the user.The library is very popular. It has over 3 million downloads a month, so many applications use it. Due to its popularity, researchers discovered that hackers can take advantage of expr-eval and extend it beyond math.
How Can Hackers Exploit the Bug?
Are math tools truly dangerous? Here's how they are able to do it.If a website or app uses expr-eval for user input and the input may include a form or API a hacker can use expr-eval to send an an expression with bad code embedded in it when app evaluates it :
- Steal private data,
- Crash the App or
- Even take complete control of the server.
How To Protect Yourself
Staying safe is an easy mantra:- Update to the latest version of library,
- Never trust user input,
- Filters and/or security checks must be done prior to letting apps evaluate any expression.
The importance of this situation is the responsibility we all should have to keep an eye on open-source tools. They are amazing tools, however, anyone can create or modify them — including errors like this one!
If you are using JavaScript libraries, stay responsible — make checking for updates part of your coding routine, and just be aware. A small bug in a math library like expr-eval could lead to bigger issues if it goes unaddressed.
So the next time you are coding, just keep in the back of your mind that even a simple little math library can harness its chaotic potential if completely unpatched. Be responsible and always check for updates!