Disclosure of Hardened JavaScript shim (ses) vulnerability CVE-2023-39532

[Kris Kowal]

A member of our community, Ricardo Vieitez Parra (@corrideat), has discovered a vulnerability in the Hardened JavaScript shim that provides Lockdown, Harden, and Compartment and is called ses in npm. The vulnerability enables a guest program to use the host’s dynamic import behavior. On the Node.js platform, this provides a path to executing arbitrary code with the authority of the user. The extent of the vulnerability is most obvious on Node.js if a confined guest uses the spread operator around dynamic import to execute an unconfined JavaScript data URL.

{...import('data:text/javascript,')}

The vulnerability first appears in ses version 0.13. We have published a patch to every affected version train such that a package using an npm carat ^ constraint will be patched with a simple update and will not need to address any subsequent breaking changes.

For details about the vulnerability, please consult the advisory on Github:

https://github.com/endojs/endo/security/advisories/GHSA-9c4h-3f7h-322r

Over the last week, we have been in touch with members of our community who run SES in production systems and all who choose to patch in advance of the public disclosure have done so. We do not presume that we have a relationship with every member of our community running SES in production. If your service or application would have benefited from inclusion in the early disclosure of this vulnerability, please contact secu...@agoric.com and we will engage with you in the future.

Kris Kowal