EUVD-2022-7480

Malicious code in bioql PyPI...

EUVD-2023-1322

Malicious code in bioql PyPI...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2023-26122 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2023-26122 Source advisory: OSV:GHSA-79XF-67R4-Q2JJ...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2023-26121 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2023-26121 Source advisory: OSV:GHSA-HCG3-56JF-X4VH...

CVE-2023-26122

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution "RCE". Vulnerable functions: defineGetter, stack,...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2023-26122 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2023-26122 Source advisory: SNYK:JS-SAFEEVAL-3373064...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2023-26121 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2023-26121 Source advisory: SNYK:JS-SAFEEVAL-3373062...

CVE-2022-25904 Prototype Pollution

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2022-25904 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2022-25904 Source advisory: OSV:GHSA-33VH-7X8Q-MG35...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by CVE-2022-25904 via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: CVE-2022-25904 Source advisory: SNYK:JS-SAFEEVAL-3175701...

@550w-tools/cli (>=0.0.14 <=0.0.16), @550w-tools/core (>=0.0.14 <=0.0.16) +538 more potentially affected by unknown CVE via safe-eval (>=0.2.0 <=0.4.1)

safe-eval NPM version =0.2.0, =0.0.14, =0.0.14, =0.0.13, =0.0.14, =0.0.15, =1.0.1, =1.0.2, =1.0.3, =1.1.2, =0.1.16, =1.0.0, =0.3.0, =0.20.0, =2.0.295, =2.0.315 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9PCF-H8Q9-63F6...

@ajaxlinux/tools (>=1.1.2 <=1.1.7), @autorest/powershell (>=2.0.295 <=2.0.315) +239 more potentially affected by CVE-2017-16088 via safe-eval (>=0.2.0 <=0.3.0)

safe-eval NPM version =0.2.0, =1.1.2, =2.0.295, =2.0.4, =2.0.142, =3.0.136, =3.0.142, =4.0.149, =3.0.129, =1.2.9, =1.1.4, =0.0.34, =0.1.0 and more Source cves: CVE-2017-16088 Source advisory: OSV:GHSA-WW6V-677G-P656...

Remote Code Execution (RCE)

safe-eval is vulnerable to remote code execution RCE. The application does not properly sanitize user input in object constructors, allowing a malicious user to break out of the Sandbox and execute arbitrary commands...