{"id":24965,"date":"2026-03-06T15:14:42","date_gmt":"2026-03-06T14:14:42","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0013\/"},"modified":"2026-03-10T10:03:03","modified_gmt":"2026-03-10T09:03:03","slug":"usd-2025-0013","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0013\/","title":{"rendered":"usd-2025-0013"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.5\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2025-13 | ArcGIS Arcade (at least until v1.28) - Language Escape in JavaScript Runtime<\/h1>\n

<\/h1>\n

Product<\/strong>: ArcGIS Arcade
Affected Version<\/strong>: at least until v1.28
Vulnerability Type<\/strong>: Sandbox \/ Language Escape
Security Risk<\/strong>: Low
Vendor<\/strong>: ArcGIS
Vendor URL<\/strong>: https:\/\/www.arcgis.com\/index.html<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Not fixed
CVE Number<\/strong>: N\/A
CVE Link<\/strong>: Not requested, Vendor is CNA
Advisory ID<\/strong>: usd-2025-13<\/p>\n

Description<\/h3>\n

Arcade is a scripting Language used in various ArcGIS Products.
When executed in a JavaScript Runtime (either ArcGIS Maps SDK for JavaScript or ArcGIS Online) Arcade scripts can execute arbitrary JavaScript.
This is possible, even though there are measures in place to prevent a language escape.<\/p>\n

Proof of Concept<\/h3>\n

The following snippet leads to an alert on Arcade Playground<\/a>.<\/p>\n

var obj = {};
var func = {\"__proto__\": obj, \"attributes\": obj.constructor};
var target = {\"__proto__\": obj, \"attributes\": obj};
var wrapper = {\"__proto__\": obj, \"attributes\": target};
wrapper.hasField = func.constructor;
var payload = HasKey(target, \"alert(1)\");
wrapper.castToText = payload;Text(target)<\/pre>\n
The main vulnerability lies in the way __proto__<\/strong><\/strong>\/ constructor<\/strong> are handled as properties in Arcade dictionaries.
Internally an Arcade dictionary is a class with an attributes<\/strong> field that stores the actual dictionary.
For instance the dictionary {\"test\":1}<\/strong> would be stored as follows:<\/p>\n
{
    \"declaredClass\": \"esri.arcade.Dictionary\",
    \"plain\": false,
    \"immutable\": false,
    \"attributes\": {
        \"test\": 1
    }
}<\/pre>\n
When creating a dictonary with a __proto__<\/strong><\/strong> key, this structure is destroyed. For example {\"__proto__<\/strong>\":{}, \"attributes\":1}<\/strong>
will lead to the following JavaScript object:<\/p>\n
{
    \"declaredClass\": \"esri.arcade.Dictionary\",
    \"plain\": false,
    \"immutable\": false,
    \"attributes\": 1
}<\/pre>\n
Now accessing the toString<\/strong> property of the Arcade dictionary will resolve to 1.toString<\/strong>.
This way, properties can also be overwritten and hence internal fields manipulated.
Even without manipulation of the internal structure the constructor<\/strong> property allows access to the constructor of the attributes<\/strong> field (usually an Object).<\/p>\n
The Proof of Concept uses these two primitives in the following way:<\/p>\n
1. Create a func<\/strong> object, that has an attributes field containing the Object<\/strong> constructor internally.Accessing func.constructor<\/strong> hence resolves to Object.constructor<\/strong>, which is the Function<\/strong> constructor.<\/p>\n
2. Create a target<\/strong> object and a wrapper<\/strong> object that has target<\/strong> as its attributes field.<\/p>\n
3. Accessing wrapper.hasField<\/strong> accesses the hasField<\/strong> property of target<\/strong>.This method is called internally, when using the HasKey<\/strong> function. Hence overwriting it with the Function<\/strong> constructor leads to the ability of creating arbitrary JavaScript functions.<\/p>\n
4. Using a similar trick, a created function can be executed. This time the castToText<\/strong> method is overwritten.<\/p>\n
Fix<\/h3>\n
Instead of using a primitive JavaScript object to store the attributes of a dictionary, a Map<\/strong> should be used instead.
Also property accesses should be checked using the Map.has<\/strong> method before evaluation.
The square bracket property access should never be done with user input.<\/p>\n
As a general precaution the compiled Arcade script could also be evaluated in an HTML iFrame with a dedicated origin.
This way, even if a language escape is possible, no critical information (e.g., Cookies \/ localStorage) can be accessed by a malicious script.<\/p>\n
References<\/h3>\n