GHSA-876r-hj45-fw7g – safer-eval

Package

Manager: npm
Name: safer-eval
Vulnerable Version: >=0.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Sandbox Breakout / Arbitrary Code Execution in safer-eval All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system. ## Recommendation The package is not suited to receive arbitrary user input. Consider using an alternative package.

Metadata

Created: 2020-09-03T21:18:41Z
Modified: 2020-08-31T18:51:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-876r-hj45-fw7g/GHSA-876r-hj45-fw7g.json
CWE IDs: []
Alternative ID: N/A
Finding: F422
Auto approve: 1