[email protected] rejected Risk: 100 MIT 2019-12-06

safer-eval @1.3.6

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Homepage Tarball

100

Risk Score

MIT

License

Install Scripts

Dependencies

Dev Dependencies

34.2 KB

Package Size

2019-12-06

Published

harmful as eval

Maintainers

commenthol

Keywords

evalsafe

Dependencies (1)

Package	Constraint	Registry Status
clones	^1.2.0	auto_approved

Dev Dependencies (21)

Package	Constraint	Registry Status
nyc	^14.1.1	auto_approved
karma	^4.2.0	auto_approved
mocha	^6.1.4	auto_approved
eslint	^6.0.1	auto_approved
rimraf	^2.6.3	auto_approved
webpack	^4.35.3	auto_approved
@babel/cli	^7.5.0	auto_approved
@babel/core	^7.5.4	auto_approved
karma-mocha	^1.3.0	auto_approved
babel-loader	^8.0.6	No greenflagged match
karma-webpack	^4.0.2	auto_approved
@babel/preset-env	^7.5.4	auto_approved
eslint-plugin-node	^9.1.0	No greenflagged match
karma-spec-reporter	~0.0.32	No greenflagged match
eslint-plugin-import	^2.18.0	auto_approved
eslint-plugin-promise	^4.2.1	auto_approved
karma-chrome-launcher	^3.0.0	auto_approved
eslint-config-standard	^13.0.1	auto_approved
eslint-plugin-standard	^4.0.0	auto_approved
karma-firefox-launcher	^1.1.0	auto_approved
karma-sourcemap-loader	^0.3.7	auto_approved

Transitive Dependency Tree

1 transitive deps max depth 1

├─ clones ^1.2.0 → 1.2.0

SAST Findings (3)

CRITICAL GHSA-876r-hj45-fw7g: Sandbox Breakout / Arbitrary Code Execution in safer-eval osv

All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. It is possible to escape the sandbox by forcing exceptions recursively in the evaluated code. This may allow attacker to execute arbitrary code in the system. ## Recommendation The package is not suited to receive arbitrary user input. Consider using an alternative package.

CRITICAL GHSA-v63x-xc9j-hhvq: Sandbox Breakout / Arbitrary Code Execution in safer-eval osv

CVSS 9.8 (CRITICAL) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H All versions of `safer-eval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context and is not suited to process arbitrary user input. This may allow attackers to execute arbitrary code in the system. ## Recommendation The package is not meant to receive user input. Consider using an alternative package until a fix is made available.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 100 (capped from 143). Findings: 2 critical (+80), 6 medium (+60), 1 low (+3).

Commit: d79adcff94b7 Browse source

Published to npm: 2019-12-06