PT-2019-12032 · Npm · Safe-Eval

Beny Zeltser

Published

2019-10-15

Updated

2021-07-21

CVE-2019-10759

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions safer-eval versions prior to 1.3.4

Description The issue allows for Arbitrary Code Execution through a Sandbox Escape. This can be achieved by using constructor properties to escape the sandbox, enabling the execution of arbitrary code. For example, evaluating the string console.constructor.constructor('return process')().env can print process.env to the console.

Recommendations Upgrade to version 1.3.4 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2019-10759

GHSA-R3X4-WR4H-PW33

SNYK-JS-SAFEREVAL-173772

Affected Products

Safe-Eval

PT-2019-12032 · Npm · Safe-Eval

CVE-2019-10759

Weakness Enumeration

Related Identifiers

Affected Products

References · 5