Prototype Pollution in node-forge

Severity:: High

Description

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.

Recommendation

Update the node-forge package to the latest compatible version. Followings are version details:

Affected version(s): < 0.10.0
Patched version(s): 0.10.0

References

GHSA-92xj-mqp7-vmcj
snyk.io
CVE-2020-7720
CWE-1321
CWE-915
CAPEC-310
OWASP 2021-A6
OWASP 2021-A8

Related Issues

Prototype Pollution in node-oojs - CVE-2020-7721
Prototype Pollution in node-forge debug API. - Vulnerability
Prototype Pollution in node-forge util.setPath API - Vulnerability
Prototype Pollution in asciitable.js - CVE-2020-7771

Tags:: npm; node-forge

Anything's wrong? Let us know Last updated on February 12, 2025