Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://github.com/substack/static-eval/pull/18
https://maustin.net/articles/2017-10/static_eval
https://nodesecurity.io/advisories/548
Related Vulnerabilities
CVE-2018-19360 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2018-20677 Vulnerability in npm package bootstrap
CVE-2021-33041 Vulnerability in npm package vmd
CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-web
CVE-2023-47327 Vulnerability in maven package org.silverpeas.core:silverpeas-core-web