Severity: critical

Sandbox Breakout



Affected versions of safe-eval are vulnerable to a sandbox escape. By accessing object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox.

Proof of Concept:

This code accesses the process object and calls .exit()

var safeEval = require('safe-eval');
safeEval("this.constructor.constructor('return process')().exit()");


Update to version 0.4.0 or later

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Aug 30th, 2017
  2. reported

    Initial report by Alessandro Nadalin
    Apr 19th, 2017