-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| squirrelly | npm | >= 9.0.0, < 9.1.0 | 9.1.0 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability stems from the compile function in src/compile.ts where options.varName was used without validation. The commit diff shows added validation using isValidJSIdentifier to prevent code injection. Before this fix, the function would pass user-controlled varName directly into new Function() parameters, allowing attackers to execute arbitrary code through JS destructuring syntax in the varName value. The high confidence comes from the direct correlation between the patch's validation logic and the CWE-94 code injection classification.
Ongoing coverage of React2Shell