The object access can be exploited to execute JS code

Question

The object access can be exploited to execute JS code

Opened this issue 5 months ago · 1 comments

The library is nice but is dangerous to load arbitrary expressions as they can execute arbitrary code like this:
const fn = subscript("Math.constructor.constructor('alert(1)')()");
fn({ Math })

suggestion: disable access to these keys: "proto", "constructor", "prototype" or use Object.hasOwn as a filter

Answer 1 · 2025-06-24T17:41:57.000Z

True. Unless we make sure we pass objects with null prototype