GHSA-mmqv-m45h-q2hp: Sandbox Breakout / Arbitrary Code Execution in localeval

September 4, 2020 (updated January 16, 2026)

All versions of localeval are vulnerable to Sandbox Escape leading to Remote Code Execution. The package fails to restrict access to the main context through constructor.constructor. This may allow attackers to execute arbitrary code in the system. Evaluating the payload

constructor.constructor("return process.env")()

returns the contents of process.env.

References

github.com/advisories/GHSA-mmqv-m45h-q2hp
github.com/espadrine/localeval
github.com/espadrine/localeval/commit/823f112c793b8fae051eeddad61d4ed29804a56c
github.com/espadrine/localeval/commit/ce985eba77a5f89a7f718727cbaa7fb14da40335
github.com/espadrine/localeval/issues/9

Code Behaviors & Features

Detect and mitigate GHSA-mmqv-m45h-q2hp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →