Sandbox Breakout / Arbitrary Code Execution in safer-eval

2019-12-11T02:01:44
ID GHSA-V63X-XC9J-HHVQ
Type github
Reporter GitHub Advisory Database
Modified 2020-08-31T18:58:59

Description

All versions of safer-eval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system.

Recommendation

The package is not meant to receive user input. Consider using an alternative package until a fix is made available.