Description

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Remediation

References

https://github.com/hacksparrow/safe-eval/issues/26

https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701

Related Vulnerabilities

CVE-2020-15242 Vulnerability in npm package next

CVE-2022-25758 Vulnerability in maven package org.webjars.npm:scss-tokenizer

CVE-2022-41915 Vulnerability in maven package io.netty:netty-codec

CVE-2017-16176 Vulnerability in npm package jansenstuffpleasework

CVE-2021-42392 Vulnerability in maven package com.h2database:h2

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory