CVE-2020-6836

CRITICAL

hot-formula-parser < 3.0.1 - Remote Code Execution via Unsanitized Formula Input

Title source: llm

Description

grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.

References (3)

Core 3

Core References

Patch, Third Party Advisory x_refsource_misc

https://www.npmjs.com/advisories/1439

Patch x_refsource_misc

https://github.com/handsontable/formula-parser/commit/396b089738d4bf30eb570a4fe6a188affa95cd5e

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://blog.truesec.com/2020/01/17/reverse-shell-through-a-node-js-math-parser/

Scores

CVSS v3 9.8

EPSS 0.0211

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

hot-formula-parser_project/hot-formula-parser < 3.0.1

npm/hot-formula-parser 0 - 3.0.1npm

Published Jan 11, 2020

Tracked Since Feb 18, 2026