GHSA-q849-wxrc-vqrp

Source

https://github.com/advisories/GHSA-q849-wxrc-vqrp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-q849-wxrc-vqrp/GHSA-q849-wxrc-vqrp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q849-wxrc-vqrp

Published

2024-12-02T20:11:39Z

Modified

2024-12-02T20:11:39Z

Summary

hull.js Code Injection Vulnerability

Details

Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of new Function(...) in the module that handles points format. Applications passing the 3rd parameter to the hull function without sanitising may be impacted. The vulnerability has been fixed in version 1.0.10, please update the library. Check project homepage on GitHub to see how to fetch the latest version: https://github.com/andriiheonia/hull?tab=readme-ov-file#npm-package

Database specific

{
    "github_reviewed_at": "2024-12-02T20:11:39Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

npm / hull.js

Package

Name: hull.js; View open source insights on deps.dev
Purl: pkg:npm/hull.js

Affected ranges

Type: SEMVER
Events: Introduced

0.2.2

Fixed

1.0.10