Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2022-25904 Vulnerability in npm package safe-eval

Description

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Remediation

References

https://github.com/hacksparrow/safe-eval/issues/26

https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701

Related Vulnerabilities

CVE-2021-25931 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2020-7707 Vulnerability in npm package property-expr

CVE-2023-32315 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

CVE-2021-42550 Vulnerability in maven package ch.qos.logback:logback-core

CVE-2023-24998 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Third Party Advisory