Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://nodesecurity.io/advisories/548
https://maustin.net/articles/2017-10/static_eval
https://github.com/substack/static-eval/pull/18
Related Vulnerabilities
CVE-2020-7961 Vulnerability in maven package com.liferay.portal:portal-impl
CVE-2019-10758 Vulnerability in npm package mongo-express
CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on
CVE-2011-4905 Vulnerability in maven package org.apache.activemq:activemq-core
CVE-2018-1000529 Vulnerability in maven package org.grails.plugins:fields