Description
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.0.0
- Patched version(s): 10.0.0
References
- GHSA-45rm-2893-5f49
- groups.google.com
- security.snyk.io
- CVE-2022-25948
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Prototype Pollution in mout - CVE-2022-21213
- steal vulnerable to Prototype Pollution via requestedVersion variable - CVE-2022-37257
- steal vulnerable to Prototype Pollution via key variable in babel.js - CVE-2022-37266
- steal vulnerable to Prototype Pollution via alias variable - CVE-2022-37265
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on February 02, 2023