Description
If I am not mistaken, this CVE can only be triggered in one of these fairly absurd cases where you're already under attack with nothing less than arbitrary code execution.
- Someone is actively using get-func-name to process user-generated functions you've already evaluated and then passed the evaluated function into get-func-name.
- Supply-chain code that has been maliciously modified to have an attack function definition in it AND your code arbitrarily calls get-func-name on this supply -chain code's function.
- Supply-chain code that maliciously monkey patches function.prototype.toString or the function's own toString with the attack string.
Are there any legitimate test cases (making this a legitimate vulnerability) for this CVE, or did this just get fixed for the sake of responding to the CVE in a timely manner? This is a significant issue in the NPM ecosystem and I'd like to understand if this purely a problem of the CVE classification system or if there are other elements at work here.
Yes, it could be improved but a CVE at all let alone a HIGH SEVERITY CVE is masking more important work out there in the high severity range with legitimate reproduction steps.
I don't see how this is a network / remotely triggerable vulnerability that warrants a high CVE score like this.