CVE-2022-25904 — safe-eval vulnerable to Prototype Pollution

Description

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

How to fix CVE-2022-25904

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-25904 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25904
PATCHgithub.com/hacksparrow/safe-eval
WEBgithub.com/hacksparrow/safe-eval/issues/26
WEBsecurity.snyk.io/vuln/SNYK-JS-SAFEEVAL-3175701