CVE-2017-16088

CRITICAL

safe-eval - Sandbox Escape via Object Constructor Access

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-16088. PoCs published by Flyy-yu.

AI-analyzed exploit summary This repository contains only a README.md file referencing CVE-2017-16088, a vulnerability in the D-Link DIR-850L router. No exploit code or technical details are provided.

Description

The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

Exploits (1)

nomisec WRITEUP
by Flyy-yu · poc
https://github.com/Flyy-yu/CVE-2017-16088

This repository contains only a README.md file referencing CVE-2017-16088, a vulnerability in the D-Link DIR-850L router. No exploit code or technical details are provided.

Classification
Writeup 30%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: D-Link DIR-850L router
No auth needed
Prerequisites: none
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/patriksimek/vm2/issues/59
Third Party Advisory x_refsource_misc
https://github.com/hacksparrow/safe-eval/issues/5
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/337

Scores

CVSS v3 10.0
EPSS 0.0206
EPSS Percentile 84.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-610
Status published
Products (5)
npm/safe-eval 0npm
safe-eval_project/safe-eval 0.0.0
safe-eval_project/safe-eval 0.1.0
safe-eval_project/safe-eval 0.2.0
safe-eval_project/safe-eval 0.3.0
Published Jun 07, 2018
Tracked Since Feb 18, 2026