CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 8CVE-2023-26122
https://notcve.org/view.php?id=CVE-2023-26122
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf(). • https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce https://github.com/hacksparrow/safe-eval/issues/27 https://github.com/hacksparrow/safe-eval/issues/31 https://github.com/hacksparrow/safe-eval/issues/32 https://github.com/hacksparrow/safe-eval/issues/33 https://github.com/hacksparrow/safe-eval/issues/34 https://github.com/hacksparrow/safe-eval/issues/35 https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064 • CWE-265: Privilege Issues CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-26121
https://notcve.org/view.php?id=CVE-2023-26121
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its parameter content. • https://gist.github.com/seongil-wi/9d9fc0cc5b7b130419cd45827e59c4f9 https://github.com/hacksparrow/safe-eval/issues/28 https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373062 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-25904 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2022-25904
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. Todas las versiones del paquete safe-eval son vulnerables a Prototype Pollution, que permite a un atacante agregar o modificar propiedades de Object.prototype.Consolidate cuando usa la función safeEval. Esto se debe a que la función usa la variable vm, lo que lleva a un atacante a modificar las propiedades del Object.prototype. • https://github.com/hacksparrow/safe-eval/issues/26 https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 1CVE-2017-16088
https://notcve.org/view.php?id=CVE-2017-16088
The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. El módulo safe-eval se describe como una versión más segura de eval. Mediante el acceso a los constructores de objeto, las entradas de usuario no saneadas pueden acceder a la totalidad de la biblioteca estándar y salir del sandbox. • https://github.com/Flyy-yu/CVE-2017-16088 https://github.com/hacksparrow/safe-eval/issues/5 https://github.com/patriksimek/vm2/issues/59 https://nodesecurity.io/advisories/337 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •