Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://github.com/substack/static-eval/pull/18
https://maustin.net/articles/2017-10/static_eval
https://nodesecurity.io/advisories/548
Related Vulnerabilities
CVE-2021-37306 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack
CVE-2022-25839 Vulnerability in npm package url-js
CVE-2013-7381 Vulnerability in npm package libnotify
CVE-2021-29451 Vulnerability in maven package com.manydesigns:portofino-core