steal vulnerable to Prototype Pollution via alias variable

Description

Prototype pollution vulnerability in stealjs steal via the alias variable in babel.js.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.3.0

References

• GHSA-wc4x-qmr2-rj8h
• CVE-2022-37265
• CWE-1321
• CAPEC-310
• OWASP 2021-A6

Related Issues

• steal vulnerable to Prototype Pollution via key variable in babel.js - CVE-2022-37266
• steal vulnerable to Prototype Pollution via optionName variable - CVE-2022-37264
• steal vulnerable to Prototype Pollution via requestedVersion variable - CVE-2022-37257
• Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks - CVE-2022-41879

Tags:

npm

steal