Listen to this Post
The vulnerability resides in the `APIVersion` rule of the affected component, which used the insecure JavaScript `new Function()` constructor to dynamically evaluate expression strings (e.g., “>=58”) provided within flow metadata files. When the scanner processes a flow, it passes the user-controllable expression string directly into new Function(), which compiles and executes it as arbitrary JavaScript code. An attacker can craft a malicious flow metadata file or rule configuration where the `expression` field contains harmful JavaScript code instead of a simple comparator. During a scan—whether on a developer’s local machine, in a CI/CD pipeline, or within an editor plugin—this malicious payload is executed with the privileges of the scanning process. This provides a direct vector for remote code execution, allowing an attacker to compromise the host system, steal secrets, or pivot into internal networks, fundamentally subverting the security of the development and deployment environment.
dailycve form:
Platform: MuleSoft Anypoint
Version: core-v6.10.6, vsx v2.4.4
Vulnerability: Code Injection
Severity: Critical
Date: 2025-12-13
Prediction: 2024-01-31 (Patched)
What Undercode Say:
Analytics:
The vulnerability stems from unsafe dynamic code evaluation. The following code block is the workaround to manually evaluate the APIVersion rule safely, avoiding the use of new Function().
// Handle APIVersion rule separately to avoid unsafe-eval
const apiVersionConfig = ruleConfig.rules.APIVersion;
if (apiVersionConfig) {
delete ruleConfig.rules.APIVersion;
const flowApiVer = this.currentFlow.apiVersion || this.currentFlow.xmlData?.apiVersion;
let requiredExpr;
if (apiVersionConfig.expression) {
requiredExpr = apiVersionConfig.expression;
} else if (apiVersionConfig.threshold != null) {
requiredExpr = <code>>=${apiVersionConfig.threshold}</code>;
}
if (requiredExpr) {
const minVer = parseInt(requiredExpr.replace(/[^0-9]/g, ""), 10);
const operator = requiredExpr.replace(/[0-9]/g, "").trim();
const operators = {
">=": (a, b) => a < b,
"<": (a, b) => a >= b,
">": (a, b) => a <= b,
"<=": (a, b) => a > b,
"==": (a, b) => a !== b,
"=": (a, b) => a !== b
};
const violation = operators[bash] ? operators[operator](flowApiVer, minVer) : flowApiVer < minVer;
if (violation) {
// ... construct and push manual result ...
}
}
}
How Exploit:
An attacker creates a malicious Mule flow XML file or modifies scan configuration to inject a JavaScript payload into the `apiVersion` expression field (e.g., expression: ">=58; console.log(process.env)"). When the vulnerable scanner version parses this file, the `new Function()` call executes the attacker’s code.
Protection from this CVE:
Immediately update to the patched versions: `core-v6.10.6` or vsx v2.4.4. If immediate updating is not possible, implement the provided workaround script to manually handle and sanitize the APIVersion rule evaluation before scanning.
Impact:
Arbitrary JavaScript/Remote Code Execution on developer workstations, CI/CD servers, and editor environments, leading to full system compromise, data exfiltration, and supply chain attacks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
