Description
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
- GHSA-45rm-2893-5f49
- groups.google.com
- security.snyk.io
- CVE-2022-25948
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Prototype pollution in Plist before 3.0.5 can cause denial of service - CVE-2022-22912
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - @strapi/plugin-content-manager - CVE-2023-36472
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- qs vulnerable to Prototype Pollution - CVE-2022-24999
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on February 02, 2023


