The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
[
{
"product": "static-eval node module node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<=1.1.1"
}
]
}
]