CVE-2017-1001004 — Arbitrary JavaScript Execution in typed-function

Description

Versions of `typed-function` prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code. ## Recommendation Upgrade to version 0.10.6 or later.

How to fix CVE-2017-1001004

To remediate CVE-2017-1001004, upgrade the affected package to a fixed version below.

npm/typed-function—upgrade to 0.10.6 or later

Is CVE-2017-1001004 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.10.6

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-1001004
WEBgithub.com/josdejong/typed-function/blob/master/HISTORY.md#2017-11-18-version-0106
WEBgithub.com/josdejong/typed-function/commit/6478ef4f2c3f3c2d9f2c820e2db4b4ba3425e6fe
WEB