CVE-2019-10769 — Sandbox Breakout / Arbitrary Code Execution in safer-eval

Description

All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. ## Recommendation The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

How to fix CVE-2019-10769

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-10769 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.3.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-v63x-xc9j-hhvq
ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10769
WEBgithub.com/commenthol/safer-eval/security/advisories/GHSA-v63x-xc9j-hhvq
WEBsnyk.io/vuln/SNYK-JS-SAFEREVAL-534901
WEB