Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/notevil@0.8.1
Typenpm
Namespace
Namenotevil
Version0.8.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-75c9-8124-buaa
vulnerability_id VCID-75c9-8124-buaa
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.
references
0
reference_url https://www.npmjs.com/advisories/1093
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1093
1
reference_url https://github.com/advisories/GHSA-7r5f-7qr4-pf6q
reference_id GHSA-7r5f-7qr4-pf6q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7r5f-7qr4-pf6q
fixed_packages
0
url pkg:npm/notevil@1.3.2
purl pkg:npm/notevil@1.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8bst-w9fp-7faa
1
vulnerability VCID-echx-vz3r-ryfq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/notevil@1.3.2
aliases GHSA-7r5f-7qr4-pf6q, GMS-2020-410
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-75c9-8124-buaa
1
url VCID-8bst-w9fp-7faa
vulnerability_id VCID-8bst-w9fp-7faa
summary 
Sandbox Breakout / Prototype Pollution in notevil
Versions of `notevil` are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype.

Evaluating the payload ```try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()}``` add the `polluted` property to Function.
references
0
reference_url https://www.npmjs.com/advisories/1338
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1338
1
reference_url https://github.com/advisories/GHSA-9gxr-rhx6-4jgv
reference_id GHSA-9gxr-rhx6-4jgv
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9gxr-rhx6-4jgv
fixed_packages
0
url pkg:npm/notevil@1.3.3
purl pkg:npm/notevil@1.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-echx-vz3r-ryfq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/notevil@1.3.3
aliases GHSA-9gxr-rhx6-4jgv, GMS-2020-411
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8bst-w9fp-7faa
2
url VCID-echx-vz3r-ryfq
vulnerability_id VCID-echx-vz3r-ryfq
summary 
Sandbox escape in notevil and argencoders-notevil
This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23771
reference_id
reference_type
scores
0
value 0.00304
scoring_system epss
scoring_elements 0.53975
published_at 2026-06-04T12:55:00Z
1
value 0.00304
scoring_system epss
scoring_elements 0.54033
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23771
1
reference_url https://github.com/mmckegg/notevil
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mmckegg/notevil
2
reference_url https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-ARGENCODERSNOTEVIL-2388587
3
reference_url https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-NOTEVIL-2385946
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23771
reference_id CVE-2021-23771
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23771
5
reference_url https://github.com/advisories/GHSA-8g4m-cjm2-96wq
reference_id GHSA-8g4m-cjm2-96wq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8g4m-cjm2-96wq
fixed_packages
aliases CVE-2021-23771, GHSA-8g4m-cjm2-96wq
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-echx-vz3r-ryfq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/notevil@0.8.1