Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.
References
- https://github.com/thenables/thenify/issues/29
- https://github.com/thenables/thenify/commit/0d94a24eb933bc835d568f3009f4d269c4c4c17a
- https://security.snyk.io/vuln/SNYK-JS-THENIFY-571690
- https://nvd.nist.gov/vuln/detail/CVE-2020-7677
- https://github.com/thenables/thenify/blob/master/index.js%23L17
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-572317
- https://github.com/advisories/GHSA-29xr-v42j-r956