GHSA-9gxr-rhx6-4jgv – notevil

Package

Manager: npm
Name: notevil
Vulnerable Version: >=0 <1.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Sandbox Breakout / Prototype Pollution in notevil Versions of `notevil` prior to 1.3.3 are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload ```try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()}``` add the `polluted` property to Function. ## Recommendation Upgrade to version 1.3.3 or later.

Metadata

Created: 2020-09-04T15:18:57Z
Modified: 2020-08-31T18:55:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-9gxr-rhx6-4jgv/GHSA-9gxr-rhx6-4jgv.json
CWE IDs: ["CWE-1321"]
Alternative ID: N/A
Finding: F390
Auto approve: 1