All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.
References
Link | Resource |
---|---|
https://github.com/hacksparrow/safe-eval/issues/26 | Exploit Issue Tracking Third Party Advisory |
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
29 Dec 2022, 18:43
Type | Values Removed | Values Added |
---|---|---|
First Time |
Safe-eval Project
Safe-eval Project safe-eval |
|
CWE | CWE-1321 | |
CPE | cpe:2.3:a:safe-eval_project:safe-eval:*:*:*:*:*:node.js:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (CONFIRM) https://github.com/hacksparrow/safe-eval/issues/26 - Exploit, Issue Tracking, Third Party Advisory | |
References | (CONFIRM) https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701 - Exploit, Issue Tracking, Third Party Advisory |
20 Dec 2022, 06:15
Type | Values Removed | Values Added |
---|---|---|
Summary | All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype. |
20 Dec 2022, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-20 05:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-25904
Mitre link : CVE-2022-25904
CVE.ORG link : CVE-2022-25904
JSON object : View
Products Affected
safe-eval_project
- safe-eval
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')