If I am not mistaken, this CVE can only be triggered in one of these fairly absurd cases where you're already under attack with nothing less than arbitrary code execution.
- Someone is actively using get-func-name to process user-generated functions you've already evaluated and then passed the evaluated function into get-func-name.
- Supply-chain code that has been maliciously modified to have an attack function definition in it AND your code arbitrarily calls get-func-name on this supply -chain code's function.
- Supply-chain code that maliciously monkey patches function.prototype.toString or the function's own toString with the attack string.
Are there any legitimate test cases (making this a legitimate vulnerability) for this CVE, or did this just get fixed for the sake of responding to the CVE in a timely manner? This is a significant issue in the NPM ecosystem and I'd like to understand if this purely a problem of the CVE classification system or if there are other elements at work here.
Yes, it could be improved but a CVE at all let alone a HIGH SEVERITY CVE is masking more important work out there in the high severity range with legitimate reproduction steps.
GHSA-4q6p-r6v2-jvc5
I don't see how this is a network / remotely triggerable vulnerability that warrants a high CVE score like this.
If I am not mistaken, this CVE can only be triggered in one of these fairly absurd cases where you're already under attack with nothing less than arbitrary code execution.
Are there any legitimate test cases (making this a legitimate vulnerability) for this CVE, or did this just get fixed for the sake of responding to the CVE in a timely manner? This is a significant issue in the NPM ecosystem and I'd like to understand if this purely a problem of the CVE classification system or if there are other elements at work here.
Yes, it could be improved but a CVE at all let alone a HIGH SEVERITY CVE is masking more important work out there in the high severity range with legitimate reproduction steps.
GHSA-4q6p-r6v2-jvc5
I don't see how this is a network / remotely triggerable vulnerability that warrants a high CVE score like this.