crossbow-lang is an unmaintaned fork of
eval() function to evaluate the "if" statement conditions. The input to the function is sanitized by escaping all potentially dangerous characters.
However, if the variable passed in is an array, no escaping is applied, exposing an easy path to code injection. The risk of exploit is especially high given the fact
koa and many other Node.js servers allow users to force a query parameter to be an array using the
Latest release (
v1.0.0) is vulnerable, so we suggest to avoid using it altogether, until a patch is made available.
- Snyk ID
- 09 Jan, 2015
- 18 Sep, 2016