Prototype Pollution in nedb

Severity:: High

Description

This affects all versions of package nedb. The library could be tricked into adding or modifying properties of Object.prototype using a proto or constructor.prototype payload.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.8.0

References

GHSA-339j-hqgx-qrrx
snyk.io
CVE-2021-23395
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Prototype Pollution in sey - CVE-2021-23663
Baobab vulnerable to Prototype Pollution - CVE-2021-4307
MrSwitch hello.js vulnerable to prototype pollution - CVE-2021-26505
Prototype Pollution in litespeed.js and appwrite/server-ce - CVE-2021-23682

Tags:: npm; nedb

Anything's wrong? Let us know Last updated on August 17, 2023