Open po6ix opened 4 years ago
Thanks for the report! As the readme says we don't encourage people to use static-eval on untrusted input because of things like this, there are probably many more undiscovered ways too :sweat_smile:
I'll see if there is a simple fix for this, anyway, but it's not the highest priority.
poc
details in https://blog.p6.is/bypassing-a-js-sandbox/#Prototype-Pollution-to-Remote-Code-Execution