Versions of pitboss-ng
prior to 2.0.0 are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through this.constructor.constructor
. This may allow attackers to execute arbitrary code in the system. Evaluating the payload this.constructor.constructor('return process.env')()
prints the contents of process.env
.
Upgrade to version 2.0.0 or later.