Описание
Sandbox Breakout / Arbitrary Code Execution in safer-eval
Versions of safer-eval prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string console.constructor.constructor('return process')().env prints process.env to the console.
Recommendation
Upgrade to version 1.3.4 or later.
Пакеты
Наименование
safer-eval
npm
Затронутые версииВерсия исправления
< 1.3.4
1.3.4
Связанные уязвимости
CVSS3: 9.9
nvd
больше 6 лет назад
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.