Do your applications use this vulnerable package?
Test your applications
Overview
static-eval
is a module to evaluate statically-analyzable expressions.
Affected versions of the package are vulnerable to Arbitrary Code Execution. If un-sanitized user input is passed to static-eval
, it is possible to break out of the sandboxed instance, and execute arbitrary code from the standard library.
Remediation
Upgrade static-eval
to version 2.0.0 or higher.
References
CVSS Score
7.3
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Matt Austin
- CVE
- CVE-2017-16226
- CWE
- CWE-94
- Snyk ID
- npm:static-eval:20171016
- Disclosed
- 16 Oct, 2017
- Published
- 18 Oct, 2017