Description
The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.
Remediation
References
https://nodesecurity.io/advisories/548
https://maustin.net/articles/2017-10/static_eval
https://github.com/substack/static-eval/pull/18
Related Vulnerabilities
CVE-2023-5245 Vulnerability in maven package ml.combust.bundle:bundle-ml_2.12
CVE-2022-0436 Vulnerability in maven package org.webjars.npm:grunt
CVE-2017-16152 Vulnerability in npm package static-html-server
CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-kotlin-lite
CVE-2021-43308 Vulnerability in npm package markdown-link-extractor