CVE-2019-10759
CRITICAL9.9EPSS 0.97%Sandbox Breakout / Arbitrary Code Execution in safer-eval
發布日:2019/10/21修改日:2026/3/13
描述
Versions of `safer-eval` prior to 1.3.4 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. For example, evaluating he string `console.constructor.constructor('return process')().env` prints `process.env` to the console. ## Recommendation Upgrade to version 1.3.4 or later.
受影響套件(1)
- npm/safer-evalfrom 0, < 1.3.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |