Name of the Vulnerable Software and Affected Versions veval versions (affected versions not specified)

Description The issue allows for Sandbox Escape, leading to Remote Code Execution. The veval package fails to restrict access to the main context through this.constructor.constructor. This may enable attackers to execute arbitrary code in the system. For example, evaluating the payload this.constructor.constructor('return process.env')() can print the contents of process.env.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.