CVE-2019-10759

CRITICAL9.9EPSS 0.97%

Sandbox Breakout / Arbitrary Code Execution in safer-eval

Published: 10/21/2019Modified: 3/13/2026

Description

Versions of `safer-eval` prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string `console.constructor.constructor('return process')().env` prints `process.env` to the console. ## Recommendation Upgrade to version 1.3.4 or later.

Affected packages (1)

npm/safer-evalfrom 0, < 1.3.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10759
WEBhttps://snyk.io/vuln/SNYK-JS-SAFEREVAL-173772
WEBhttps://www.npmjs.com/advisories/1021