2 matches found
CVE-2022-25760
All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If attacker-controlled user input is given to the format option of the package's exported constructor function, it is possible for an attacker to...
GHSA-38F5-GHC2-FCMV Code Injection in cryo
All versions of cryo are vulnerable to code injection due to an Insecure implementation of deserialization. Proof of concept js var Cryo = require'cryo'; var frozen = '"root":"CRYOREF3","references":"contents":,"value":"CRYOFUNCTIONfunction console.log\"defconrussia\"; return...