PT-2018-6116 · Npm · Safe-Eval

Odino

Published

2018-06-07

Updated

2019-10-09

CVE-2017-16088

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: safe-eval versions prior to 0.4.0

Description: The issue allows un-sanitized user input to access the entire standard library by accessing object constructors, effectively breaking out of the sandbox. This can be achieved by exploiting the safe-eval module, which is intended to be a safer version of eval.

Recommendations: For versions prior to 0.4.0, update to version 0.4.0 or later. As a temporary workaround, consider restricting the use of the safe-eval module until the issue is resolved. Avoid using un-sanitized user input in the safe-eval function to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-610

Related Identifiers

CVE-2017-16088

GHSA-WW6V-677G-P656

Affected Products

Safe-Eval

PT-2018-6116 · Npm · Safe-Eval

CVE-2017-16088

Weakness Enumeration

Related Identifiers

Affected Products

References · 9