From 4c81ca07d976f31d28d642569de063d1aeaa58d0 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Mon, 28 Jul 2025 15:47:25 -0400 Subject: [PATCH] Add warning to README about sandbox escapes --- README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/README.md b/README.md index bbb6640..032a9c3 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,49 @@ # safe-eval [![npm version](https://badge.fury.io/js/safe-eval.svg)](https://badge.fury.io/js/safe-eval) [![Build Status](https://travis-ci.org/hacksparrow/safe-eval.svg?branch=master)](https://travis-ci.org/hacksparrow/safe-eval) +--- + +# ⚠️ CRITICAL SECURITY WARNING ⚠️ + +**`safe-eval` IS HARMFUL - so you are warned!** + +This package contains **multiple known payloads to bypass the sandbox logic** and should **NOT** be used for executing untrusted code. There are numerous documented sandbox escape vulnerabilities that have been reported and remain unpatched. + +## Known Security Issues + +- **Multiple sandbox escape bugs** have been reported in the GitHub issues +- **Prototype pollution vulnerabilities** exist in the safeEval function +- **Process crash vulnerabilities** can be triggered by malicious code +- **Context injection attacks** can bypass intended restrictions + +## ⚠️ IMPORTANT WARNINGS + +- **DO NOT** use this package with user-submitted data +- **DO NOT** use this package with code from untrusted sources +- **DO NOT** rely on this package for security-critical applications +- **Consider alternatives** like `isolated-vm`` for Node.js sandboxing + +## Better Alternatives + +For Node.js applications, consider using: +- [`isolated-vm`](https://www.npmjs.com/package/isolated-vm) - Google's V8 Isolate API + +## Multiple Bypasses Documented + +Multiple sandbox escape vulnerabilities have been reported in the GitHub issues: +- [Issue #38](https://github.com/hacksparrow/safe-eval/issues/38) - Sandbox Escape Bug +- [Issue #35](https://github.com/hacksparrow/safe-eval/issues/35) - Sandbox Escape Bug +- [Issue #34](https://github.com/hacksparrow/safe-eval/issues/34) - Sandbox Escape Bug +- [Issue #33](https://github.com/hacksparrow/safe-eval/issues/33) - Sandbox Escape Bug +- [Issue #32](https://github.com/hacksparrow/safe-eval/issues/32) - Sandbox Escape Bug +- [Issue #31](https://github.com/hacksparrow/safe-eval/issues/31) - Sandbox Escape Bug +- [Issue #28](https://github.com/hacksparrow/safe-eval/issues/28) - Sandbox Escape Bug +- [Issue #27](https://github.com/hacksparrow/safe-eval/issues/27) - Sandbox Escape +- [Issue #26](https://github.com/hacksparrow/safe-eval/issues/26) - Prototype pollution in function safeEval + +**Before using this module, ask yourself if there are no better options than using safe-eval. It is potentially better than the bad old `eval()` but has harmful potential.** + +--- + **NOTE** `safe-eval` `0.3.0` and below are affected by a sandbox breakout vulnerability - [NSP 337](https://nodesecurity.io/advisories/337), [CVE-2017-16088](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16088).