Description
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands.
Remediation
References
https://nodesecurity.io/advisories/143
Related Vulnerabilities
CVE-2019-10344 Vulnerability in maven package io.jenkins:configuration-as-code
CVE-2017-16165 Vulnerability in npm package calmquist.static-server
CVE-2012-4449 Vulnerability in maven package org.apache.hadoop:hadoop-common
CVE-2021-21423 Vulnerability in npm package projen
CVE-2020-13955 Vulnerability in maven package org.apache.calcite:calcite-core