Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://github.com/substack/static-eval/pull/18
https://maustin.net/articles/2017-10/static_eval
https://nodesecurity.io/advisories/548
Related Vulnerabilities
CVE-2022-2596 Vulnerability in maven package org.webjars.npm:node-fetch
CVE-2022-31175 Vulnerability in npm package @ckeditor/ckeditor5-html-support
CVE-2023-40573 Vulnerability in maven package org.xwiki.platform:xwiki-platform-scheduler-api
CVE-2023-32262 Vulnerability in maven package org.jenkins-ci.plugins:dimensionsscm