notevil@1.2.0 vulnerabilities

Evalulate javascript like the built-in eval() method but safely

Direct Vulnerabilities

Known vulnerabilities in the notevil package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Sandbox Bypass

notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result **Note:**This package has been deprecated.

Affected versions of this package are vulnerable to Sandbox Bypass. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype.

Note: This vulnerability derives from an incomplete fix in SNYK-JS-NOTEVIL-608878.

How to fix Sandbox Bypass?

There is no fixed version for notevil.

*
  • M
Prototype Pollution

notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result **Note:**This package has been deprecated.

Affected versions of this package are vulnerable to Prototype Pollution. It is vulnerable to Sandbox Escape leading to Prototype pollution. The package fails to restrict access to the main context, allowing an attacker to add or modify an object's prototype.

Evaluating the payload try{a[b];}catch(e){e.constructor.constructor('return __proto__.arguments.callee.__proto__.polluted=true')()} will add the polluted property to Function.

How to fix Prototype Pollution?

Upgrade notevil to version 1.3.3 or higher.

<1.3.3
  • M
Remote Code Execution (RCE)

notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result **Note:**This package has been deprecated.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The package fails to prevent access to the Function constructor by not checking the return values of function calls. This allows attackers to access the Function prototype's constructor leading to the attacker being able to escape the sandbox leading to remote code execution.

How to fix Remote Code Execution (RCE)?

Upgrade notevil to version 1.3.2 or higher.

<1.3.2