CVE-2022-25904

Опубликовано: 20 дек. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 9.8

EPSS Низкий

Описание

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Ссылки

https://github.com/hacksparrow/safe-eval/issues/26
Exploit
Issue Tracking
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701
Exploit
Issue Tracking
Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/26
Exploit
Issue Tracking
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:safe-eval_project:safe-eval:*:*:*:*:*:node.js:*:*

Версия до 0.4.1 (включая)

EPSS

Процентиль: 52%

0.00291

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-1321

Связанные уязвимости

GHSA-33vh-7x8q-mg35

CVSS3: 9.8

github

около 3 лет назад

safe-eval vulnerable to Prototype Pollution

EPSS

Процентиль: 52%

0.00291

Низкий

7.5 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-1321