correctingInterval icon indicating copy to clipboard operation
correctingInterval copied to clipboard
verified publisher icon aduth

Code Injection Vulnerability in `correcting-interval`

Open shaobaobaoer opened this issue 7 months ago • 0 comments

Code Injection Vulnerability in correcting-interval

Summary

A critical code injection vulnerability (CWE-94) exists in the correcting-interval Node.js package versions prior to 2.0.0. The setCorrectingInterval function insecurely evaluates user-supplied input without proper sanitization, allowing attackers to execute arbitrary code remotely. Successful exploitation could lead to full system compromise, data loss, or service disruption.

Details

The vulnerability arises in the setCorrectingInterval function, which accepts a string argument intended to be a JavaScript function body. Due to insufficient input validation, attackers can inject malicious payloads by embedding arbitrary code within the input string. This flaw affects applications using correcting-interval to handle untrusted user data in environments where the function is invoked.

Impact

This vulnerability classifies as a code injection flaw (CWE-94) and impacts applications that:

  • Use correcting-interval versions <2.0.0
  • Pass user-controlled or untrusted input to setCorrectingInterval

shaobaobaoer avatar Aug 06 '25 11:08 shaobaobaoer