Prototype Pollution

Vulnerability

Overview

CVE-2022-25904 affects all versions of the safe-eval npm package. The vulnerability is a Prototype Pollution issue in the safeEval function, which uses Node.js's vm.runInNewContext() to execute JavaScript code. The sandbox provided by the vm module is insufficient to prevent modification of the global Object.prototype, allowing an attacker to inject or alter properties on all objects in the application [1][2][4].

Exploitation

An attacker can exploit this by passing a crafted JavaScript expression to safeEval. For example, the expression "proto.test=123" pollutes Object.prototype with a test property, which then appears on all objects. No authentication is required if the application exposes safeEval to user-supplied input. The attack surface is any code path that evaluates untrusted expressions using this library [3][4].

Impact

Prototype Pollution can lead to denial of service (via exceptions), property tampering, or remote code execution depending on how the application uses the polluted properties. Since Object.prototype is shared across all objects, even a single polluted property can alter application behavior globally [3].

Mitigation

The safe-eval package is deprecated and all versions are vulnerable. There is no patch available. Users should avoid using safe-eval with untrusted input and migrate to a more secure sandboxing solution, such as vm2 (with caution) or a dedicated sandbox library. The project's maintainer has acknowledged the issue and recommends not using the library for user-submitted code [2][4].