CVE-2019-10760

CRITICAL9.9EPSS 10.8%

Sandbox Breakout / Arbitrary Code Execution in safer-eval

Published: 10/17/2019Modified: 3/13/2026

Description

Versions of `safer-eval` before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. ## Recommendation Upgrade to version 1.3.2.

Affected packages (1)

npm/safer-evalfrom 0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10760
WEBhttps://github.com/commenthol/safer-eval/commit/1c29f6a6e304fb650c05056e217e457a0d2cc3c5
WEBhttps://snyk.io/vuln/SNYK-JS-SAFEREVAL-473029
WEBhttps://www.npmjs.com/advisories/787