Описание
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE").
Vulnerable functions:
defineGetter, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
Ссылки
- ExploitThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.4.1 (включая)
cpe:2.3:a:safe-eval_project:safe-eval:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 87%
0.03181
Низкий
8.8 High
CVSS3
10 Critical
CVSS3
Дефекты
CWE-265
CWE-1321
CWE-1321
Связанные уязвимости
CVSS3: 10
github
почти 3 года назад
safe-eval vulnerable to Sandbox Bypass due to improper input sanitization
EPSS
Процентиль: 87%
0.03181
Низкий
8.8 High
CVSS3
10 Critical
CVSS3
Дефекты
CWE-265
CWE-1321
CWE-1321