Vulnerabilities > CVE-2022-25904 - Unspecified vulnerability in Safe-Eval Project Safe-Eval

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

safe-eval-project

critical

NVD

Published: 2022-12-20

Updated: 2024-11-21

Summary

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Vulnerable Configurations

Part	Description	Count
Application	Safe-Eval_Project Safe Eval Project Safe Eval 0.0.0 Safe Eval Project Safe Eval 0.1.0 Safe Eval Project Safe Eval 0.2.0 Safe Eval Project Safe Eval 0.3.0 Safe Eval Project Safe Eval 0.4.0 Safe Eval Project Safe Eval 0.4.1	6

References

https://github.com/hacksparrow/safe-eval/issues/26
https://github.com/hacksparrow/safe-eval/issues/26
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701