Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2M3gteGM5ai1oaHZx
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of safer-eval
are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.
Recommendation
The package is not meant to receive user input. Consider using an alternative package until a fix is made available.
Permalink: https://github.com/advisories/GHSA-v63x-xc9j-hhvqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY2M3gteGM5ai1oaHZx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-v63x-xc9j-hhvq, CVE-2019-10769
References:
- https://github.com/commenthol/safer-eval/security/advisories/GHSA-v63x-xc9j-hhvq
- https://nvd.nist.gov/vuln/detail/CVE-2019-10769
- https://github.com/advisories/GHSA-v63x-xc9j-hhvq
- https://www.npmjs.com/advisories/1428
- https://snyk.io/vuln/SNYK-JS-SAFEREVAL-534901
Blast Radius: 41.7
Affected Packages
npm:safer-eval
Dependent packages: 24Dependent repositories: 17,794
Downloads: 43,591 last month
Affected Version Ranges: <= 1.3.6
No known fixed version
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6