CVE-2023-26121

Vulnerability

Overview

CVE-2023-26121 affects all versions of the safe-eval npm package. The vulnerability is a Prototype Pollution issue in the safeEval function, which fails to properly sanitize its parameter content [1]. Prototype Pollution occurs when an attacker can inject properties into the Object.prototype, which then propagates to all JavaScript objects via the prototype chain [3].

Exploitation

An attacker can exploit this by passing crafted JavaScript code to safeEval. The code can manipulate the __proto__ property or use techniques like Error.prepareStackTrace to gain access to the internal this context and pollute the prototype [4]. No authentication is required if the function is exposed to user input, making it a significant risk for applications that evaluate untrusted code.

Impact

Successful exploitation can lead to denial of service (via exceptions), property injection, or even remote code execution if the application relies on polluted properties for security decisions or control flow [3]. The vulnerability undermines the intended sandboxing of safe-eval, which was designed to provide a safer alternative to eval() [2].

Mitigation

As of the publication date, no patch is available; all versions are affected. The vendor recommends using safe-eval only with trusted, self-generated content [2]. Users should consider replacing it with a more robust sandboxing solution or avoiding dynamic code evaluation altogether.