Description

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Remediation

References

https://github.com/hacksparrow/safe-eval/issues/26

https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701

Related Vulnerabilities

CVE-2022-43414 Vulnerability in maven package org.jenkins-ci.plugins:nunit

CVE-2021-21252 Vulnerability in npm package jquery-validation

CVE-2020-7614 Vulnerability in npm package npm-programmatic

CVE-2020-7760 Vulnerability in maven package org.webjars.bower:codemirror

CVE-2017-16116 Vulnerability in maven package org.webjars.npm:string

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory