notevil@1.3.3

Vulnerabilities

1 via 1 paths

Dependencies

2

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: notevil
  • Introduced through: notevil@1.3.3

Detailed paths

  • Introduced through: notevil@1.3.3

Overview

notevil is a module uses esprima to parse the javascript AST then walks each node and evaluates the result

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It allows an attacker to escape the intended sandbox and execute javascript code in the global context, meaning that he/she can achieve arbitrary command execution (RCE) when running in nodejs and cross site scripting (XSS) when running in the browser.

Remediation

A fix was pushed into the master branch but not yet published.

References