CVE-2022-25904
Last modified
CVE-2022-25904 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.. EPSS estimates a 0.88% chance of exploitation in the next 30 days.
Description
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Safe-Eval Project | Safe-Eval | <= 0.4.1 |
References
- https://github.com/hacksparrow/safe-eval/issues/26Exploit, Issue Tracking, Third Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701Exploit, Issue Tracking, Third Party Advisory
- https://github.com/hacksparrow/safe-eval/issues/26Exploit, Issue Tracking, Third Party Advisory
- https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-25904?
How severe is CVE-2022-25904?
How do I fix CVE-2022-25904?
Are you affected by CVE-2022-25904?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST