Affected versions of pouchdb do not properly sandbox the code execution engine which executes the map/reduce functions for temporary views and design documents. Under certain circumstances, an attacker could uses this to run arbitrary code on the server.

Recommendation

Update to version 6.0.5 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10546
• GHSA-cgqv-x5cx-xvqh
• https://www.npmjs.com/advisories/143