Miggo Logo
Miggo Vulnerability Database
CVE-2017-16020

CVE-2017-16020:
Unsafe eval() in summit allows arbitrary code execution

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2017-16020
GHSA ID
GHSA-cwcp-6c48-fm7m
EPSS Score
0.73588%
CWE
CWE-94
Published
9/1/2020
Updated
11/14/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
summitnpm>= 0.1.0, <= 0.1.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe use of eval() with unsanitized user input (collection names) when generating filter functions for PouchDB. The GitHub issue #23 explicitly shows the vulnerable pattern where collection names are concatenated into a function string that is then executed via eval(). This matches the CWE-94 (Code Injection) classification and the advisory description of arbitrary command execution via collection names.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `summit` *llow *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* *oll**tion n*m*s w**n usin* t** `Pou****` *riv*r. ## R**omm*n**tion No *ir**t p*t** is *v*il**l* *t t*is tim*. *urr*ntly, t** **st option to miti**t* t** issu* is to *

Reasoning

T** vuln*r**ility st*ms *rom uns*** us* o* `*v*l()` wit* uns*nitiz** us*r input (*oll**tion n*m*s) w**n **n*r*tin* *ilt*r *un*tions *or Pou****. T** *it*u* issu* #** *xpli*itly s*ows t** vuln*r**l* p*tt*rn w**r* *oll**tion n*m*s *r* *on**t*n*t** into