Advisories for Npm/Jsen package

2020

Arbitrary Code Execution

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In particular the required field of the schema is not properly sanitized. The resulting string that is build based on the schema definition is then passed to a Function.apply();, leading to an Arbitrary Code Execution.