Sandbox Bypass

Affecting constantinople package, versions <3.1.1

high severity

Overview

constantinople determines whether a JavaScript expression evaluates to a constant (using acorn).

Affected versions of this package are vulnerable to a sandbox bypass which can lead to arbitrary code execution.

Remediation

Upgrade constantinople to version 3.1.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Mike Samuel
CWE
CWE-264
Snyk ID
npm:constantinople:20180421
Disclosed
21 Apr, 2018
Published
09 May, 2018