cbcvebase.

Safe-Eval Project Safe-Eval vulnerabilities

5 known vulnerabilities affecting safe-eval_project/safe-eval.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5

Vulnerabilities

Page 1 of 1
CVE-2023-26122P2CRITICALCVSS 10.0≤ 0.4.1fixed in *2023-04-11
CVE-2023-26122 [CRITICAL] CWE-265 CVE-2023-26122: All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitiz All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(
ghsanvdosv
CVE-2017-16088P3CRITICALCVSS 10.0v0.0.0v0.1.0+2 more2018-06-07
CVE-2017-16088 [CRITICAL] CWE-610 CVE-2017-16088: The safe-eval module describes itself as a safer version of eval. By accessing the object constructo The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.
ghsanvdosv
CVE-2023-26121P3CRITICALCVSS 10.0≤ 0.4.1fixed in *2023-04-11
CVE-2023-26121 [CRITICAL] CWE-1321 CVE-2023-26121: All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval functio All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content.
ghsanvdosv
CVE-2020-7710P3CRITICAL≥ 0, ≤ 0.4.12020-08-25
CVE-2020-7710 [CRITICAL] CWE-94 Sandbox Breakout / Arbitrary Code Execution in safe-eval Sandbox Breakout / Arbitrary Code Execution in safe-eval All versions of `safe-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through Error objects. This may allow attackers to execute arbitrary code in the system. Evaluating the payload ```js (function (){ var ex = new Error ex.__proto__ = null ex.stack = { match: x => { re
ghsaosv
CVE-2022-25904P3CRITICALCVSS 9.8≤ 0.4.1fixed in unspecified2022-12-20
CVE-2022-25904 [CRITICAL] CWE-1321 CVE-2022-25904: All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.
ghsanvdosv
Safe-Eval Project Safe-Eval vulnerabilities | cvebase