GHSA-29xr-v42j-r956

Suggest an improvement
Source
https://github.com/advisories/GHSA-29xr-v42j-r956
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-29xr-v42j-r956/GHSA-29xr-v42j-r956.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-29xr-v42j-r956
Aliases
Published
2022-07-18T19:15:29Z
Modified
2024-02-17T05:35:43.966318Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
thenify before 3.3.1 made use of unsafe calls to `eval`.
Details

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

Database specific
{
    "nvd_published_at": "2022-07-25T14:15:00Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-18T19:15:29Z"
}
References

Affected packages

npm / thenify

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.1

Maven / org.webjars.npm:thenify

Package

Name
org.webjars.npm:thenify
View open source insights on deps.dev
Purl
pkg:maven/org.webjars.npm/thenify

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.3.1

Affected versions

3.*

3.1.0
3.3.0