Description
A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via hello.utils.extend function.
Recommendation
Update the hellojs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.18.8
- Patched version(s): 1.18.8
References
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) - CVE-2019-10744
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- ejson shell parser in MongoDB Compass maybe bypassed - CVE-2024-6376
- Tags:
- npm
- hellojs
Anything's wrong? Let us know Last updated on November 09, 2023