Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID npm:safe-eval:20170830
- published 6 Sep 2017
- disclosed 30 Aug 2017
- credit Alessandro Nadalin
How to fix?
safe-eval to version 0.4.0 or higher.
safe-eval] is a version of
eval, claiming to be safer.
Affected versions of this package are vulnerable to Sandbox Escaping. User input is not sanitized before being passed on to the safeEval function. A malicious user could access the object constructors, allowing access to the standard library, then escaping the sandbox.
Proof of Concept:
var safeEval = require('safe-eval'); safeEval("this.constructor.constructor('return process')().exit()");