vulnerability arbitrary code injection
severity 6.5
language javascript
registry npm


mongo-parse is a parser for mongo db queries and projections, this package is vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval() function by default, and is used to translate strings into Javascript code. An attacker can craft a malicious payload to inject arbitrary commands.