Description
A prototype pollution vulnerability in MrSwitch hello.js prior to version 1.18.8 allows remote attackers to execute arbitrary code via hello.utils.extend function.
Recommendation
Update the hellojs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.18.8
- Patched version(s): 1.18.8
References
Related Issues
- npm package rfc6902 vulnerable to Prototype Pollution - CVE-2021-4245
- dustjs-linkedin vulnerable to Prototype Pollution - CVE-2021-4264
- Baobab vulnerable to Prototype Pollution - CVE-2021-4307
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Tags:
- npm
- hellojs
Anything's wrong? Let us know Last updated on November 09, 2023