[Vulnerability] nodejs/node: Code Injection

[github-actions]

Potential Security Vulnerability Detected

Repository: nodejs/node
Commit: 4d867af
Author: Shelley Vohr
Date: 2026-02-16T14:59:14Z

Commit Message

build: generate_config_gypi.py generates valid JSON

PR-URL: https://github.com/nodejs/node/pull/61791
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Pull Request

PR: #61791 - build: generate_config_gypi.py generates valid JSON
Labels: tools, author ready

Description:
Refs nodejs/node#60794

generate_config_gypi.py needs to generate valid JSON and didn't.
<!--
Before submitting a pull request, please read:

• the CONTRIBUTING guide at https://github.com/nodejs/node/blob/HEAD/CONTRIBUTING.md
• the commit message formatting guidelines at
  https://github.com/nodejs/node/blob/HEAD/doc/contributing/pull-requests.md#commit-message-guidelines

For code changes:

1. Include tests for any bug fixes or new features.
2. Update docum...

Analysis

Vulnerability Type: Code Injection
Severity: High

Description

The code used eval() to parse configuration data, which allows arbitrary Python code execution if an attacker can control the node_builtin_shareable_builtins configuration value. The patch replaces eval() with json.loads() to safely parse JSON data.

Affected Code

eval(config['node_builtin_shareable_builtins'])

Proof of Concept

An attacker could set node_builtin_shareable_builtins to '__import__("os").system("rm -rf /")' which would execute arbitrary shell commands when eval() processes it during the build configuration generation.

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-02-16T14:59:50.675Z

[spaceraccoon]

Huh, that's interesting. I think there's a slight exploitation vector here during a node-gyp build, and could technically be used as a sort of config/env to code execution gadget.