VYPR
← All advisories
High severityNVD Advisory· Published Apr 27, 2020· Updated Aug 4, 2024

CVE-2020-7640

CVE-2020-7640

Description

pixl-class before 1.0.3 allows arbitrary code execution via unsanitized user input to the members argument of the create function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pixl-class before 1.0.3 allows arbitrary code execution via unsanitized user input to the `members` argument of the `create` function.

Vulnerability

Details

CVE-2020-7640 is an arbitrary code execution vulnerability in the pixl-class npm package, versions prior to 1.0.3. The flaw lies in how the create function processes its members argument. The library fails to sanitize user-supplied input, allowing attackers to inject malicious JavaScript code through properties like __parent [1][3].

Exploitation

Exploitation does not require authentication; an attacker only needs to control the members object passed to create(). By crafting a property with a string value that closes the function context and inserts arbitrary code (e.g., 'function(){}; console.log(123)//}'), the injected code is evaluated during class creation [3]. This can be triggered through any application that uses pixl-class to instantiate classes from user-controlled data.

Impact

Successful exploitation leads to arbitrary command execution on the server or client where pixl-class is used. An attacker could execute system commands, exfiltrate data, or perform other malicious actions with the privileges of the running process [1][3].

Mitigation

The vulnerability was patched in version 1.0.3 [2]. All users should upgrade to pixl-class 1.0.3 or later. There are no known workarounds; upgrading the package is the recommended fix [3].

References
  1. NVD - CVE-2020-7640
  2. Version 1.0.3 · jhuckaby/pixl-class@47677a3
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pixl-classnpm
< 1.0.31.0.3

Affected products

2

Patches

1
47677a3638e3

Version 1.0.3

https://github.com/jhuckaby/pixl-classJoseph HuckabyMar 11, 2020via ghsa
commit
2 files changed · +25 24
  • class.js+5 4 modified
    @@ -20,10 +20,11 @@ exports.create = function create(members) {
 		}
 		else {
 			// inherit parent's constructor
-			var code = members.__parent.toString();
-			var args = code.substring( code.indexOf("(")+1, code.indexOf(")") );
-			var inner_code = code.substring( code.indexOf("{")+1, code.lastIndexOf("}") );
-			eval('constructor = function ('+args+') {'+inner_code+'};');
+			var parent = members.__parent;
+			constructor = function() {
+				var args = Array.prototype.slice.call(arguments);
+				parent.apply( this, args );
+			};
 		}
 		
 		// inherit rest of parent members
  • package.json+20 20 modified
    @@ -1,22 +1,22 @@
 {
-  "name": "pixl-class",
-  "version": "1.0.2",
-  "description": "A simple module for creating classes, with inheritance and mixins.",
-  "author": "Joseph Huckaby <jhuckaby@gmail.com>",
-  "homepage": "https://github.com/jhuckaby/pixl-class",
-  "license": "MIT",
-  "main": "class.js",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/jhuckaby/pixl-class"
-  },
-  "bugs": {
-    "url": "https://github.com/jhuckaby/pixl-class/issues"
-  },
-  "keywords": [
-    "oop",
-    "class"
-  ],
-  "dependencies": {},
-  "devDependencies": {}
+	"name": "pixl-class",
+	"version": "1.0.3",
+	"description": "A simple module for creating classes, with inheritance and mixins.",
+	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
+	"homepage": "https://github.com/jhuckaby/pixl-class",
+	"license": "MIT",
+	"main": "class.js",
+	"repository": {
+		"type": "git",
+		"url": "https://github.com/jhuckaby/pixl-class"
+	},
+	"bugs": {
+		"url": "https://github.com/jhuckaby/pixl-class/issues"
+	},
+	"keywords": [
+		"oop",
+		"class"
+	],
+	"dependencies": {},
+	"devDependencies": {}
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.