Happy DOM, VM Escape, CVE-2024-23378 (Critical)

By /

Listen to this Post

The vulnerability in Happy DOM (v19 and lower) stems from the inherent lack of isolation in the Node.js VM context. When JavaScript evaluation is enabled (the default in vulnerable versions), untrusted code can traverse the prototype chain to escape its sandbox. All objects within the VM inherit from the global `Function` constructor. An attacker can access this by referencing `this.constructor.constructor` from within a script tag. This provides a reference to the top-level `Function` object from the Node.js process itself, not the sandbox. Using this, an attacker can execute arbitrary code in the host process by returning the `process` object. In CommonJS environments, this allows them to retrieve the `require()` function, leading to full Remote Code Execution (RCE) by importing modules like ‘fs’ or ‘child_process’. The `–disallow-code-generation-from-strings` Node.js flag mitigates this by preventing the `Function` constructor from creating new functions from strings at the process level.
Platform: Happy DOM
Version: <= 19
Vulnerability: VM Escape
Severity: Critical

date: 2024-01-31

Prediction: Patch Released (v20)

What Undercode Say:

node --disallow-code-generation-from-strings app.js

const process = this.constructor.constructor('return process')();
const require = process.mainModule.require;
require('child_process').execSync('calc.exe');

How Exploit:

Attacker provides malicious script in SSR HTML.

Script uses `this.constructor.constructor` to escape VM.

Script accesses Node.js `process` object.

In CommonJS, script retrieves `require` function.

Imports ‘fs’ or ‘child_process’ module.

Achieves file system access or remote code execution.

Protection from this CVE

Update Happy DOM to v20+.

JavaScript evaluation is now disabled by default.

Use Node.js flag `–disallow-code-generation-from-strings`.

Do not run untrusted code in Happy DOM < v20.

Impact:

Remote Code Execution (RCE)

File System Access

Data Exfiltration

Lateral Movement

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top