Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05cDZwLTh2OXItOGM5bc4AA8sB
javascript-deobfuscator crafted payload can lead to code execution
javascript-deobfuscator removes common JavaScript obfuscation techniques. Crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0.
Permalink: https://github.com/advisories/GHSA-9p6p-8v9r-8c9mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cDZwLTh2OXItOGM5bc4AA8sB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-9p6p-8v9r-8c9m, CVE-2024-36120
References:
- https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m
- https://nvd.nist.gov/vuln/detail/CVE-2024-36120
- https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6
- https://github.com/advisories/GHSA-9p6p-8v9r-8c9m
Blast Radius: 1.0
Affected Packages
npm:js-deobfuscator
Dependent packages: 2Dependent repositories: 0
Downloads: 5,000 last month
Affected Version Ranges: < 1.1.0
Fixed in: 1.1.0
All affected versions: 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20
All unaffected versions: 1.1.0, 1.1.1