Description
A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.
Recommendation
Update the async package to the latest compatible version. Followings are version details:
Affected version(s): **>= 2.0.0, < 2.6.4 >= 3.0.0, < 3.2.2** Patched version(s): **2.6.4 3.2.2**
References
- GHSA-fwr7-v2mv-hh25
- jsfiddle.net
- lists.fedoraproject.org
- security.netapp.com
- CVE-2021-43138
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Prototype Pollution in sey - CVE-2021-23663
- jquery-plugin-query-object contains prototype pollution vulnerability - CVE-2021-20083
- Baobab vulnerable to Prototype Pollution - CVE-2021-4307
- MrSwitch hello.js vulnerable to prototype pollution - CVE-2021-26505
- Tags:
- npm
- async
Anything's wrong? Let us know Last updated on June 24, 2024