GHSA-v63x-xc9j-hhvq

Source

https://github.com/advisories/GHSA-v63x-xc9j-hhvq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-v63x-xc9j-hhvq/GHSA-v63x-xc9j-hhvq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v63x-xc9j-hhvq

Aliases

CVE-2019-10769

Published

2019-12-11T02:01:44Z

Modified

2026-05-04T08:30:35.863700026Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Sandbox Breakout / Arbitrary Code Execution in safer-eval

Details

All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.

Recommendation

The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

Database specific

{
    "severity": "CRITICAL",
    "github_reviewed_at": "2020-06-16T21:56:57Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-94"
    ],
    "nvd_published_at": "2019-12-06T23:15:00Z",
    "github_reviewed": true
}

References

Affected packages

npm / safer-eval

Package

Name: safer-eval; View open source insights on deps.dev
Purl: pkg:npm/safer-eval

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.3.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-v63x-xc9j-hhvq/GHSA-v63x-xc9j-hhvq.json"