Skip to content

hull.js Code Injection Vulnerability

Critical severity GitHub Reviewed Published Nov 30, 2024 in andriiheonia/hull • Updated Dec 2, 2024

Package

npm hull.js (npm)

Affected versions

>= 0.2.2, < 1.0.10

Patched versions

1.0.10

Description

Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of new Function(...) in the module that handles points format. Applications passing the 3rd parameter to the hull function without sanitising may be impacted. The vulnerability has been fixed in version 1.0.10, please update the library. Check project homepage on GitHub to see how to fetch the latest version: https://github.com/andriiheonia/hull?tab=readme-ov-file#npm-package

References

@andriiheonia andriiheonia published to andriiheonia/hull Nov 30, 2024
Published to the GitHub Advisory Database Dec 2, 2024
Reviewed Dec 2, 2024
Last updated Dec 2, 2024

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-q849-wxrc-vqrp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.