Arbitrary JavaScript Execution in typed-function

Description

Versions of typed-function prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code.

Recommendation

Update the typed-function package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.10.6
• Patched version(s): 0.10.6

References

• GHSA-3qh4-r86r-grvm
• snyk.io
• www.npmjs.com
• CVE-2017-1001004
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
• React Editable Json Tree vulnerable to arbitrary code execution via function parsing - CVE-2022-36010
• jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
• Arbitrary Code Execution in mathjs - mathjs - CVE-2017-1001002

You might also like:

How to Secure your NodeJs Express Javascript Application - part 2

Secure Coding 101: How to Use Random Function

SmartScanner 2.3: Smarter JavaScript Detection, Faster Scans, and Powerful CLI Enhancements

Tags:

npm

typed-function