CVE-2023-26122
HIGHsafe-eval < 0.4.1 - Sandbox Bypass via Prototype Pollution
Title source: llmDescription
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution ("RCE"). **Vulnerable functions:** __defineGetter__, stack(), toLocaleString(), propertyIsEnumerable.call(), valueOf().
References (8)
Core 8
Core References
Exploit, Third Party Advisory
https://gist.github.com/seongil-wi/2db6cb884e10137a93132b7f74879cce
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/27
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/31
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/32
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/33
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/34
Exploit, Issue Tracking, Third Party Advisory
https://github.com/hacksparrow/safe-eval/issues/35
Exploit, Issue Tracking, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064
Scores
CVSS v3
8.8
EPSS
0.0210
EPSS Percentile
79.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-265
CWE-1321
Status
published
Products (2)
npm/safe-eval
0npm
safe-eval_project/safe-eval
< 0.4.1
Published
Apr 11, 2023
Tracked Since
Feb 18, 2026