steal vulnerable to Prototype Pollution

Description

Prototype pollution vulnerability in function convertLater in npm-convert.js in stealjs steal 2.2.4 via the packageName variable in npm-convert.js.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.3.0

References

• GHSA-gvjw-8mmr-8f6g
• CVE-2022-37258
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• tarteaucitron Cross-site Scripting (XSS) - CVE-2025-1467
• Cross site scripting in markdown-to-jsx - CVE-2024-21535
• uPlot Prototype Pollution vulnerability - CVE-2024-21489
• FUXA local file inclusion vulnerability - CVE-2023-31718

Tags:

npm

steal