Sandbox Breakout / Arbitrary Code Execution in safer-eval

2020-09-03T21:18:41
ID GHSA-876R-HJ45-FW7G
Type github
Reporter GitHub Advisory Database
Modified 2020-09-03T21:18:41

Description

All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system.

Recommendation

The package is not suited to receive arbitrary user input. Consider using an alternative package.