CVE-2026-44451— Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass

Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

保护机制失效

Lumiverse 安全漏洞

Lumiverse是Prolix OCs个人开发者的一个全功能AI聊天应用套件。 Lumiverse 0.9.7之前版本存在安全漏洞，该漏洞源于组件覆盖系统通过Sucrase转译用户提供的TSX并用new Function评估，静态验证器和全局变量遮蔽均可被绕过，字符串分割可绕过静态验证器，DOM引用可逃逸沙箱获取真实window对象，恶意主题包导入后启用组件覆盖即可在用户认证会话中触发有效载荷。

N/A

N/A