VulnerableCode Package Details - pkg:npm/notevil@1.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-8bst-w9fp-7faa Aliases: GHSA-9gxr-rhx6-4jgv GMS-2020-411	Sandbox Breakout / Prototype Pollution in notevil Versions of `notevil` are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload ```try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()}``` add the `polluted` property to Function.	1.3.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-echx-vz3r-ryfq Aliases: CVE-2021-23771 GHSA-8g4m-cjm2-96wq	Sandbox escape in notevil and argencoders-notevil This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. Note: This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-8bst-w9fp-7faa
Aliases:
GHSA-9gxr-rhx6-4jgv
GMS-2020-411

Sandbox Breakout / Prototype Pollution in notevil Versions of `notevil` are vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing attacker to add or modify an object's prototype. Evaluating the payload ```try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()}``` add the `polluted` property to Function.

1.3.3
Affected by 1 other vulnerability.

VCID-echx-vz3r-ryfq
Aliases:
CVE-2021-23771
GHSA-8g4m-cjm2-96wq

Sandbox escape in notevil and argencoders-notevil This affects all versions of package notevil; all versions of package argencoders-notevil. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype. **Note:** This vulnerability derives from an incomplete fix in [SNYK-JS-NOTEVIL-608878](https://security.snyk.io/vuln/SNYK-JS-NOTEVIL-608878).

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-75c9-8124-buaa	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.	GHSA-7r5f-7qr4-pf6q GMS-2020-410

Vulnerability

Summary

Aliases

VCID-75c9-8124-buaa

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in notevil.

GHSA-7r5f-7qr4-pf6q
GMS-2020-410

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:36:28.622914+00:00	GitLab Importer	Affected by	VCID-echx-vz3r-ryfq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/notevil/CVE-2021-23771.yml	38.6.0
2026-06-05T21:13:37.615453+00:00	GHSA Importer	Fixing	VCID-75c9-8124-buaa	https://github.com/advisories/GHSA-7r5f-7qr4-pf6q	38.6.0
2026-06-04T20:37:57.234947+00:00	GitLab Importer	Affected by	VCID-8bst-w9fp-7faa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/notevil/GMS-2020-411.yml	38.6.0
2026-06-04T17:22:32.945542+00:00	GithubOSV Importer	Fixing	VCID-75c9-8124-buaa	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-7r5f-7qr4-pf6q/GHSA-7r5f-7qr4-pf6q.json	38.6.0
2026-06-04T16:20:21.529659+00:00	GitLab Importer	Fixing	VCID-75c9-8124-buaa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/notevil/GMS-2020-410.yml	38.6.0