All versions of the package dom-iterator are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. Function generates a new function body and thus care must be given to ensure that the inputs to Function are not attacker-controlled. The risks involved are similar to that of allowing attacker-controlled input to reach eval.

The Red Canary Blog


Explore the Red Canary blog for expert tips on increasing visibility, expanding detection coverage, and improving information security. Security teams need an ally to help defend against adversaries. Check out our blog for breaking research and insights into threat detection, intelligence, and incident response.

Listed: