Expression.prototype.toJSFunction() compiles user-controlled expressions using new Function and with scopes. When the expression is untrusted, this can lead to arbitrary JavaScript execution in the host process.
- Severity: Critical (code execution in the same privileges as the host process)
- Affected users: Any application that calls
toJSFunction()on untrusted expressions. - Attack preconditions: Attacker controls the expression string.
toJSFunction() emits a JS function using new Function(...) and wraps operator/function tables with with(...). This does not sandbox the environment. Any identifier not found in those with scopes falls through to the global scope, allowing access to built-ins like Function. The attacker can then execute arbitrary JS.
This demonstrates arbitrary JS execution by invoking console.log:
const { Parser } = require('expr-eval');
const input = 'Function("return console.log")()("hello world")';
Parser.parse(input).toJSFunction()();