CVE-2019-10769 – safer-eval

Package

Manager: npm
Name: safer-eval
Vulnerable Version: >=0 <=1.3.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00525 pctl0.6605

Details

Sandbox Breakout / Arbitrary Code Execution in safer-eval All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. ## Recommendation The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

Metadata

Created: 2019-12-11T02:01:44Z
Modified: 2021-07-28T16:43:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-v63x-xc9j-hhvq/GHSA-v63x-xc9j-hhvq.json
CWE IDs: ["CWE-20", "CWE-94"]
Alternative ID: GHSA-v63x-xc9j-hhvq
Finding: F184
Auto approve: 1