Lucene search

[email protected]NVD:CVE-2022-25904

HistoryDec 20, 2022 - 5:15 a.m.

CVE-2022-25904

2022-12-2005:15:11

CWE-1321

[email protected]

web.nvd.nist.gov

safe-eval

prototype pollution

object.prototype.consolidate

vm variable

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.4%

JSON

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

Affected configurations

Nvd

Node

safe-eval_projectsafe-evalRange≤0.4.1node.js

VendorProductVersionCPE
safe-eval_projectsafe-eval*cpe:2.3:a:safe-eval_project:safe-eval:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
safe-eval_project	safe-eval	*	cpe:2.3:a:safe-eval_project:safe-eval::::::node.js::*

References

github.com/hacksparrow/safe-eval/issues/26

security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.4%

JSON

Related for NVD:CVE-2022-25904

veracode1 cvelist1 osv2 prion1 github1 cve1