Code Injection in GitHub repository builderio/qwik prior to 0.21.0. The Function deserializer can be accessed using the pureServerFunction feature. This allows any Javascript code to be run by node.js.
{ "nvd_published_at": "2023-03-08T22:15:00Z", "github_reviewed_at": "2023-03-10T22:28:41Z", "github_reviewed": true, "severity": "CRITICAL", "cwe_ids": [ "CWE-94" ] }