Prototype Pollution in js-data

Description

All versions of package js-data prior to 3.0.10 are vulnerable to Prototype Pollution via the deepFillIn function.

Recommendation

Update the js-data package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.0.10
• Patched version(s): 3.0.10

References

• GHSA-mqgv-67vx-g4m5
• snyk.io
• CVE-2020-28442
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in js-data (GHSA-c6h4-gc3f-hgjq) - CVE-2021-23574
• Prototype Pollution in systeminformation - CVE-2020-26245
• Prototype Pollution in Ajv - CVE-2020-15366
• Prototype Pollution in asciitable.js - CVE-2020-7771

Tags:

npm

js-data