Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://github.com/substack/static-eval/pull/18
https://maustin.net/articles/2017-10/static_eval
https://nodesecurity.io/advisories/548
Related Vulnerabilities
CVE-2020-7680 Vulnerability in npm package docsify
CVE-2020-28498 Vulnerability in npm package elliptic
CVE-2021-46366 Vulnerability in maven package info.magnolia:magnolia-core
CVE-2020-15138 Vulnerability in maven package org.webjars.npm:prismjs
CVE-2019-16772 Vulnerability in npm package serialize-javascript