npm

Severity: moderate

Unsafe eval()

summit

Overview

Affected versions of summit allow attackers to execute arbitrary commands via collection names when using the PouchDB driver.

Remediation

No direct patch is available at this time.

Currently, the best option to mitigate the issue is to avoid using the PouchDB driver, as the package author has abandoned this feature entirely.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 14th, 2017
  2. reported

    Initial report by Cristian-Alexandru Staicu
    Mar 6th, 2017