Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.Consolidate runs the risk of Prototype Pollution when using the function safeEval.The function use vm lead an attacker to modify properties of the Object.prototype.the risk locate is in here
Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.Consolidate runs the risk of Prototype Pollution when using the function safeEval.The function use vm lead an attacker to modify properties of the Object.prototype.the risk locate is in here
safe-eval/index.js
Line 24 in 23319e3
and the POC is as follow:
var unsafe= require("safe-eval")
console.log({}.test) //undefined
unsafe("proto.test=123")
console.log({}.test) //123
The text was updated successfully, but these errors were encountered: