Severity: Critical
CVSS Score: 10
All versions of `veval` are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through `this.constructor.constructor` . This may allow attackers to execute arbitrary code in the system. Evaluating the payload `this.constructor.constructor('return process.env')()` prints the contents of `process.env`. ## Recommendation No fix is currently available. Consider using an alternative package until a fix is made available.