Severity: critical

Arbitrary Code Injection

pouchdb

Overview

Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.

Remediation

Update to version 6.0.5 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 17th, 2016
  2. reported

    Initial report by micaksica
    Aug 25th, 2016