CVE-2019-10760 — Sandbox Breakout / Arbitrary Code Execution in safer-eval

Description

Versions of `safer-eval` before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. ## Recommendation Upgrade to version 1.3.2.

How to fix CVE-2019-10760

To remediate CVE-2019-10760, upgrade the affected package to a fixed version below.

npm/safer-eval—upgrade to 1.3.2 or later

Is CVE-2019-10760 being exploited?

Moderate — EPSS is 10.8%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10760
WEBgithub.com/commenthol/safer-eval/commit/1c29f6a6e304fb650c05056e217e457a0d2cc3c5
WEBsnyk.io/vuln/SNYK-JS-SAFEREVAL-473029
WEBwww.npmjs.com/advisories/787