9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-7677

GHSA ID

GHSA-29xr-v42j-r956

EPSS Score

0.39186%

CWE

CWE-78

Published

7/18/2022

Updated

1/23/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7677

CVE-2020-7677: thenify before 3.3.1 made use of unsafe calls to `eval`.

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-7677

CVE-2020-7677:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-7677

GHSA ID

GHSA-29xr-v42j-r956

EPSS Score

0.39186%

CWE

CWE-78

Published

7/18/2022

Updated

1/23/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
thenify	npm	< 3.3.1	3.3.1
org.webjars.npm:thenify	maven	< 3.3.1	3.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unsafe eval() usage in both the thenify function and its withCallback method. The pre-patch code constructed a function string in createWrapper and executed it via eval(), using the original function's name ($$fn$$.name) without sanitization. Since attackers could manipulate the function name (e.g., via Object.defineProperty), this allowed arbitrary code injection. The commit 0d94a24 removed eval() entirely, replacing it with direct function construction, confirming these were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-7677: thenify before 3.3.1 made use of unsafe calls to `eval`.

CVE-2020-7677:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

CVE-2020-7677: thenify before 3.3.1 made use of unsafe calls to `eval`.

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

9.8

9.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI