Wiz
Vulnerability DatabaseCVE-2020-7674

CVE-2020-7674
JavaScript vulnerability analysis and mitigation

Overview

The access-policy npm package, which is used for encoding and decoding policy JSON files in web applications, was found to contain an Arbitrary Code Execution vulnerability (CVE-2020-7674). The vulnerability was discovered and disclosed on June 5, 2020, by the JHU System Security Lab (Snyk Database).

Technical details

The vulnerability exists in all versions of the access-policy package. The security flaw occurs when user input provided to the template function is executed by the eval function, resulting in potential code execution. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) from NVD and 8.6 (High) from Snyk, indicating its severe nature (Snyk Database).

Impact

The vulnerability can lead to a total loss of confidentiality, with all resources within the impacted component potentially being exposed to the attacker. While integrity impact is limited, the vulnerability can affect system availability, causing reduced performance or interruptions in resource availability (Snyk Database).

Mitigation and workarounds

As of the disclosure, there is no fixed version available for the access-policy package. Users of this package should consider using alternative solutions or implementing additional security controls to mitigate the risk (Snyk Database).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-58754HIGH7.5
  • JavaScriptJavaScript
  • grafana-azure-monitor
NoYesSep 12, 2025
CVE-2025-59049HIGH7.5
  • JavaScriptJavaScript
  • @mockoon/cli
NoYesSep 10, 2025
CVE-2025-59052HIGH7.1
  • JavaScriptJavaScript
  • @angular/platform-server
NoYesSep 10, 2025
CVE-2025-59139MEDIUM5.3
  • JavaScriptJavaScript
  • hono
NoYesSep 12, 2025
CVE-2025-9910LOW1.3
  • JavaScriptJavaScript
  • jsondiffpatch
NoYesSep 11, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo