Prototype Pollution in madlib-object-utils

Severity:: High

Description

The package madlib-object-utils before version 0.1.8 is vulnerable to Prototype Pollution via the setValue method, as it allows an attacker to merge object prototypes into it. Note: This vulnerability derives from an incomplete fix of CVE-2020-7701

Recommendation

Update the madlib-object-utils package to the latest compatible version. Followings are version details:

Affected version(s): < 0.1.8
Patched version(s): 0.1.8

References

GHSA-pfv6-prqm-85q8
snyk.io
CVE-2022-24279
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in madlib-object-utils (GHSA-jvf5-q4h5-2jmj) - CVE-2020-7701
steal vulnerable to Prototype Pollution via alias variable - CVE-2022-37265
steal vulnerable to Prototype Pollution via requestedVersion variable - CVE-2022-37257
steal vulnerable to Prototype Pollution via key variable in babel.js - CVE-2022-37266

Tags:: npm; madlib-object-utils

Anything's wrong? Let us know Last updated on January 27, 2023