CVE-2017-16226

EPSS 3.6%CWE-20

The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution.

Affected products

HackerOne · static-eval node module node module

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/substack/static-eval/pull/18 https://maustin.net/articles/2017-10/static_eval https://nodesecurity.io/advisories/548