CVE-2019-10769

CRITICAL9.8EPSS 0.53%

Sandbox Breakout / Arbitrary Code Execution in safer-eval

發布日:2019/12/11修改日:2026/5/4

描述

All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. ## Recommendation The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

受影響套件(1)

npm/safer-evalfrom 0, <= 1.3.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://github.com/advisories/GHSA-v63x-xc9j-hhvq
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10769
WEBhttps://github.com/commenthol/safer-eval/security/advisories/GHSA-v63x-xc9j-hhvq
WEBhttps://snyk.io/vuln/SNYK-JS-SAFEREVAL-534901
WEBhttps://www.npmjs.com/advisories/1428