Description
Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.
Recommendation
Update the pouchdb package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.0.5
- Patched version(s): 6.0.5
References
Related Issues
- Elysia affected by arbitrary code injection through cookie config - CVE-2025-66457
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection (GHSA-h4j5-c7cj-74xg) - CVE-2020-28502
- xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - CVE-2020-28502
- React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010
- Tags:
- npm
- pouchdb
Anything's wrong? Let us know Last updated on January 09, 2023