Versions of safer-eval
prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string console.constructor.constructor('return process')().env
prints process.env
to the console.
Upgrade to version 1.3.4 or later.
{ "nvd_published_at": "2019-10-15T15:15:00Z", "github_reviewed_at": "2019-10-17T17:06:35Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-94" ] }