Vulnerability Description
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Safe-Eval Project | Safe-Eval | <= 0.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/hacksparrow/safe-eval/issues/26ExploitIssue TrackingThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701ExploitIssue TrackingThird Party Advisory
- https://github.com/hacksparrow/safe-eval/issues/26ExploitIssue TrackingThird Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2022-25904?
CVE-2022-25904 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This ...
How severe is CVE-2022-25904?
CVE-2022-25904 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25904?
Check the references section above for vendor advisories and patch information. Affected products include: Safe-Eval Project Safe-Eval.