GHSA-5mjw-6jrh-hvfq

Suggest an improvement
Source
https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-5mjw-6jrh-hvfq/GHSA-5mjw-6jrh-hvfq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5mjw-6jrh-hvfq
Aliases
Published
2018-08-06T21:37:06Z
Modified
2023-11-08T03:59:12.567883Z
Summary
Sandbox Breakout / Arbitrary Code Execution in static-eval
Details

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.

Proof of concept

var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id

Recommendation

Update to version 2.0.0 or later.

Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:16:46Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

npm / static-eval

Package

Name
static-eval
View open source insights on deps.dev
Purl
pkg:npm/static-eval

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.0