MrSwitch hello.js vulnerable to prototype pollution

Severity:: High

Description

A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via hello.utils.extend function.

Recommendation

Update the hellojs package to the latest compatible version. Followings are version details:

Affected version(s): < 1.18.8
Patched version(s): 1.18.8

References

GHSA-g3vf-47fv-8f3c
CVE-2021-26505
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

npm package rfc6902 vulnerable to Prototype Pollution - CVE-2021-4245
dustjs-linkedin vulnerable to Prototype Pollution - CVE-2021-4264
Baobab vulnerable to Prototype Pollution - CVE-2021-4307
Immutable is vulnerable to Prototype Pollution - CVE-2026-29063

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; hellojs

Anything's wrong? Let us know Last updated on November 09, 2023