CVE-2019-10769
published 2019-12-06CVE-2019-10769: safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.57%
83.2th percentile
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongo-express_project | mongo-express | <= 0.54.0 | — |
| safer-eval_project | safer-eval | 0 – 1.3.6 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote code execution in mongo-express
osv·2021-04-13·CVSS 9.8
CVE-2020-24391 [CRITICAL] Remote code execution in mongo-express
Remote code execution in mongo-express
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
GHSA
Remote code execution in mongo-express
ghsa·2021-04-13·CVSS 9.8
CVE-2020-24391 [CRITICAL] CWE-20 Remote code execution in mongo-express
Remote code execution in mongo-express
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
GHSA
Sandbox Breakout / Arbitrary Code Execution in safer-eval
ghsa·2019-12-11
CVE-2019-10769 [CRITICAL] CWE-20 Sandbox Breakout / Arbitrary Code Execution in safer-eval
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.
## Recommendation
The package is not meant to receive user input. Consider using an alternative package until a fix is made available.
OSV
Sandbox Breakout / Arbitrary Code Execution in safer-eval
osv·2019-12-11
CVE-2019-10769 [CRITICAL] Sandbox Breakout / Arbitrary Code Execution in safer-eval
Sandbox Breakout / Arbitrary Code Execution in safer-eval
All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.
## Recommendation
The package is not meant to receive user input. Consider using an alternative package until a fix is made available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2019-12-06
Published