Critical severity9.8NVD Advisory· Published Jan 11, 2020· Updated Jun 17, 2026
CVE-2020-6836
CVE-2020-6836
Description
grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hot-formula-parsernpm | < 3.0.1 | 3.0.1 |
Affected products
2- hot-formula-parser/hot-formula-parserdescription
Patches
Vulnerability mechanics
References
7- github.com/handsontable/formula-parser/commit/396b089738d4bf30eb570a4fe6a188affa95cd5envdPatchWEB
- www.npmjs.com/advisories/1439nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-rc77-xxq6-4mffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-6836ghsaADVISORY
- blog.truesec.com/2020/01/17/reverse-shell-through-a-node-js-math-parserghsaWEB
- github.com/handsontable/formula-parser/pull/58ghsaWEB
- blog.truesec.com/2020/01/17/reverse-shell-through-a-node-js-math-parser/nvd
News mentions
0No linked articles in our index yet.