Skip to content

Sandbox Breakout / Arbitrary Code Execution in safer-eval

Critical severity GitHub Reviewed Published Oct 17, 2019 • Updated Aug 13, 2022

Package

npm safer-eval (npm)

Affected versions

< 1.3.2

Patched versions

1.3.2

Description

Versions of safer-eval before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.

Recommendation

Upgrade to version 1.3.2.

References

Severity

Critical
9.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2019-10760

GHSA ID

GHSA-hgch-jjmr-gp7w

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.