Affected versions of `pouchdb` do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.

## Recommendation

Update to version 6.0.5 or later.

Affected Packages

npm pouchdb

Affected versions: 0 (fixed in 6.0.5)

Related CVEs

CVE-2016-10546

Key Information

GHSA ID

GHSA-cgqv-x5cx-xvqh

Published

July 26, 2018 4:22 PM

Last Modified

August 31, 2020 6:12 PM

CVSS Score

9.0 /10

Primary Ecosystem

npm

Primary Package

pouchdb

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.