CVE-2022-25904

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-25904

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25904.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-25904

Aliases

GHSA-33vh-7x8q-mg35

Published

2022-12-20T05:15:11.487Z

Modified

2025-11-14T13:05:15.298726Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading an attacker to modify properties of the Object.prototype.

References

Affected packages

Git / github.com/hacksparrow/safe-eval

Affected ranges

Type: GIT
Repo: https://github.com/hacksparrow/safe-eval
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

e6c5dba9a8b3e151b012d5ed50e3a781592911ac

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.4.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25904.json"