CVE-2019-10769

CRITICAL9.8EPSS 0.53%

Sandbox Breakout / Arbitrary Code Execution in safer-eval

Published: 12/11/2019Modified: 5/4/2026

Description

All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. ## Recommendation The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

Affected packages (1)

npm/safer-evalfrom 0, <= 1.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://github.com/advisories/GHSA-v63x-xc9j-hhvq
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10769
WEBhttps://github.com/commenthol/safer-eval/security/advisories/GHSA-v63x-xc9j-hhvq
WEBhttps://snyk.io/vuln/SNYK-JS-SAFEREVAL-534901
WEBhttps://www.npmjs.com/advisories/1428