Prototype Pollution in nedb

Description

This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.8.0

References

• GHSA-339j-hqgx-qrrx
• snyk.io
• CVE-2021-23395
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in async - CVE-2021-43138
• Prototype pollution in 101 - CVE-2021-25943
• Prototype Pollution in js-data - js-data - CVE-2021-23574
• Prototype Pollution in litespeed.js and appwrite/server-ce - CVE-2021-23682

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

nedb