PT-2022-17597 · Safe-Eval · Safe-Eval
Peng Zhou
+1
·
Published
2022-12-20
·
Updated
2022-12-29
·
CVE-2022-25904
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
safe-eval versions all
Description
The issue allows an attacker to add or modify properties of the Object.prototype through Prototype Pollution when using the function safeEval. This is due to the function's use of the vm variable, enabling an attacker to modify properties of the Object.prototype.
Recommendations
For all versions, consider disabling the use of the safeEval function until a patch is available to prevent exploitation. Restrict access to the vm variable to minimize the risk of modifying the Object.prototype properties.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Safe-Eval