Improperly Controlled Modification of Dynamically-Determined Object Attributes in vega-util
- Severity:
- Medium
Description
vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype.
Recommendation
Update the vega-util package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.13.1
- Patched version(s): 1.13.1
References
- GHSA-6hwh-rqwf-cxxr
- snyk.io
- CVE-2019-10806
- CWE-1321
- CWE-20
- CWE-915
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 3 - CVE-2022-36083
- JOSE vulnerable to resource exhaustion via specifically crafted JWE (GHSA-jv3g-j58f-9mq9) 2 - CVE-2022-36083
- Tags:
- npm
- vega-util
Anything's wrong? Let us know Last updated on January 27, 2023