Description
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.3.1
References
Related Issues
- mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
- Collection.js vulnerable to Prototype Pollution - CVE-2023-26113
- underscore-keypath vulnerable to Prototype Pollution - CVE-2023-26139
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- Tags:
- npm
- rangy
Anything's wrong? Let us know Last updated on March 03, 2023