Severity: Critical
CVSS Score: 10
Versions of `mongodb-query-parser` prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes `touch test-file`: ```'(function () { return (clearImmediate.constructor("return process;")()).mainModule.require("child_process").execSync("touch test-file").toString()})()'``` ## Recommendation Upgrade to version 2.0.0 or later.