Description
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
- GHSA-45rm-2893-5f49
- groups.google.com
- security.snyk.io
- CVE-2022-25948
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- thlorenz browserify-shim vulnerable to prototype pollution - CVE-2022-37617
- steal vulnerable to Prototype Pollution via alias variable - CVE-2022-37265
- steal vulnerable to Prototype Pollution - CVE-2022-37258
- matrix-js-sdk Prototype Pollution vulnerability - CVE-2022-36059
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on February 02, 2023