GHSA-mmqv-m45h-q2hp

Source

https://github.com/advisories/GHSA-mmqv-m45h-q2hp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mmqv-m45h-q2hp/GHSA-mmqv-m45h-q2hp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmqv-m45h-q2hp

Published

2020-09-04T15:22:40Z

Modified

2026-02-03T03:17:19.972456Z

Summary

Sandbox Breakout / Arbitrary Code Execution in localeval

Details

All versions of localeval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through constructor.constructor. This may allow attackers to execute arbitrary code in the system. Evaluating the payload

constructor.constructor("return process.env")()

returns the contents of process.env.

Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:55:41Z",
    "severity": "CRITICAL",
    "cwe_ids": [],
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

npm / localeval

Package

Name: localeval; View open source insights on deps.dev
Purl: pkg:npm/localeval

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.3.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mmqv-m45h-q2hp/GHSA-mmqv-m45h-q2hp.json"