Advisories for Npm/Safe-Eval package

2023
2022

safe-eval vulnerable to Prototype Pollution

All versions of package safe-eval is vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

2020
2018
2017

Sandbox Breakout

By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.