Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-cwcp-6c48-fm7m

GitHub Security Advisory

Unsafe eval() in summit allows arbitrary code execution

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

Affected versions of `summit` allow attackers to execute arbitrary commands via collection names when using the `PouchDB` driver.

## Recommendation

No direct patch is available at this time.

Currently, the best option to mitigate the issue is to avoid using the `PouchDB` driver, as the package author has abandoned this feature entirely.

Affected Packages

npm summit
Affected versions: 0.1.0 (last affected: 0.1.22)

Related CVEs

CVE-2017-16020

Key Information

GHSA ID
GHSA-cwcp-6c48-fm7m
Published
September 1, 2020 4:39 PM
Last Modified
November 14, 2023 9:08 PM
CVSS Score
9.0 /10
Primary Ecosystem
npm
Primary Package
summit
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.