Vulnerability Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Static-Eval Project | Static-Eval | < 2.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/substack/static-eval/pull/18PatchThird Party Advisory
- https://maustin.net/articles/2017-10/static_evalThird Party Advisory
- https://nodesecurity.io/advisories/548ExploitThird Party Advisory
- https://github.com/substack/static-eval/pull/18PatchThird Party Advisory
- https://maustin.net/articles/2017-10/static_evalThird Party Advisory
- https://nodesecurity.io/advisories/548ExploitThird Party Advisory
FAQ
What is CVE-2017-16226?
CVE-2017-16226 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arb...
How severe is CVE-2017-16226?
CVE-2017-16226 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-16226?
Check the references section above for vendor advisories and patch information. Affected products include: Static-Eval Project Static-Eval.