Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/safe-eval@0.4.1
purl pkg:npm/safe-eval@0.4.1
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.5
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-6ddq-agvr-zuhf
Aliases:
CVE-2023-26122
GHSA-79xf-67r4-q2jj
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') All versions of the package safe-eval is vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). There are no reported fixed by versions.
VCID-jfqz-zcs9-2yby
Aliases:
CVE-2023-26121
GHSA-hcg3-56jf-x4vh
safe-eval vulnerable to Prototype Pollution via the safeEval function All versions of the package safe-eval is vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. There are no reported fixed by versions.
VCID-pegh-rtxa-k7d6
Aliases:
CVE-2020-7710
GHSA-hrpq-r399-whgw
Improper Privilege Management This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine. There are no reported fixed by versions.
VCID-rudx-9f5s-bygg
Aliases:
CVE-2022-25904
GHSA-33vh-7x8q-mg35
safe-eval vulnerable to Prototype Pollution All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. There are no reported fixed by versions.
VCID-ywrn-mga5-uubt
Aliases:
GHSA-9pcf-h8q9-63f6
GMS-2020-766
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safe-eval. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-07T20:48:06.428224+00:00 GHSA Importer Affected by VCID-rudx-9f5s-bygg https://github.com/advisories/GHSA-33vh-7x8q-mg35 38.6.0
2026-06-06T03:39:39.243242+00:00 GitLab Importer Affected by VCID-6ddq-agvr-zuhf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/safe-eval/CVE-2023-26122.yml 38.6.0
2026-06-05T21:12:46.524260+00:00 GHSA Importer Affected by VCID-pegh-rtxa-k7d6 https://github.com/advisories/GHSA-hrpq-r399-whgw 38.6.0
2026-06-05T17:13:49.640772+00:00 GitLab Importer Affected by VCID-rudx-9f5s-bygg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/safe-eval/CVE-2022-25904.yml 38.6.0
2026-06-04T20:36:49.726478+00:00 GitLab Importer Affected by VCID-ywrn-mga5-uubt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/safe-eval/GMS-2020-766.yml 38.6.0
2026-06-04T20:34:25.384983+00:00 GitLab Importer Affected by VCID-pegh-rtxa-k7d6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/safe-eval/CVE-2020-7710.yml 38.6.0
2026-06-02T04:44:29.145161+00:00 GitLab Importer Affected by VCID-jfqz-zcs9-2yby https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/safe-eval/CVE-2023-26121.yml 38.6.0