CVE-2021-23334

Name of the Vulnerable Software and Affected Versions static-eval versions prior to a fixed version

Description The issue is related to incorrect code generation management in the FunctionExpressions and TemplateLiterals functions of the static-eval package. This can allow a remote attacker to execute arbitrary code. The exploitation involves using the evaluate function from the static-eval package and the parse function from the esprima package to execute malicious code. For example, an attacker can use the eval function to execute system commands, such as console.log(global.process.mainModule.constructor. load('child process').execSync('ls').toString()). However, it's worth noting that this issue was later deemed not a vulnerability, as discussed in the related issue on GitHub.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.