CVE-2020-6836

Name of the Vulnerable Software and Affected Versions hot-formula-parser versions prior to 3.0.1

Description The issue allows for arbitrary code injection due to the failure to sanitize values passed to the parse function, which are then concatenated in an eval call. If a formula value is taken from user-controlled input, attackers may be able to run arbitrary commands on the server. For example, parsing a specific formula can create a file in the present directory.

Recommendations For versions prior to 3.0.1, upgrade to version 3.0.1 or later. As a temporary workaround, consider restricting the use of the parse function to prevent exploitation until a patch is applied. Avoid using the hot-formula-parser package with user-controlled input until the issue is resolved.