CVE-2023-26122

2023-04-1105:15:07

CWE-1321

CWE-265

[email protected]

web.nvd.nist.gov

cve-2023-26122

safe-eval

vulnerability

prototype pollution

rce

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

83.2%

JSON

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation.
Exploiting this vulnerability might result in remote code execution (“RCE”).

Vulnerable functions:

defineGetter, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().

Affected configurations

NVD

Node

safe-eval_projectsafe-evalRange≤0.4.1node.js

CPENameOperatorVersion
safe-eval_project:safe-evalsafe-eval project safe-evalle0.4.1

CPE	Name	Operator	Version
safe-eval_project:safe-eval	safe-eval project safe-eval	le	0.4.1

CNA Affected

[
  {
    "product": "safe-eval",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]