VulnerableCode Package Details - pkg:npm/safe-eval@0.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6ddq-agvr-zuhf Aliases: CVE-2023-26122 GHSA-79xf-67r4-q2jj	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') All versions of the package safe-eval is vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). Vulnerable functions: __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().	There are no reported fixed by versions.
VCID-f53c-csbx-sfd7 Aliases: CVE-2017-16088 GHSA-ww6v-677g-p656	Improper Input Validation By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.	0.4.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jfqz-zcs9-2yby Aliases: CVE-2023-26121 GHSA-hcg3-56jf-x4vh	safe-eval vulnerable to Prototype Pollution via the safeEval function All versions of the package safe-eval is vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.	There are no reported fixed by versions.
VCID-kng7-pxcx-vycx Aliases: GMS-2017-187	Sandbox Breakout By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.	There are no reported fixed by versions.
VCID-pegh-rtxa-k7d6 Aliases: CVE-2020-7710 GHSA-hrpq-r399-whgw	Improper Privilege Management This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine.	There are no reported fixed by versions.
VCID-rudx-9f5s-bygg Aliases: CVE-2022-25904 GHSA-33vh-7x8q-mg35	safe-eval vulnerable to Prototype Pollution All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.	There are no reported fixed by versions.
VCID-ywrn-mga5-uubt Aliases: GHSA-9pcf-h8q9-63f6 GMS-2020-766	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in safe-eval.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-6ddq-agvr-zuhf
Aliases:
CVE-2023-26122
GHSA-79xf-67r4-q2jj

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') All versions of the package safe-eval is vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().