Description
All versions of the package rangy are vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js.The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.3.1
References
Related Issues
- Collection.js vulnerable to Prototype Pollution - CVE-2023-26113
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name - CVE-2023-26920
- mockjs vulnerable to Prototype Pollution via the Util.extend function - CVE-2023-26158
- Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution - CVE-2023-36475
- Tags:
- npm
- rangy
Anything's wrong? Let us know Last updated on March 03, 2023