Description
The import-in-the-middle loader used by @opentelemetry/instrumentation works by generating a wrapper module on the fly. The wrapper uses the module specifier to load the original module and add some wrapping code. It allows for remote code execution in cases where an application passes user-supplied input directly to an import() function.
Recommendation
Update the @opentelemetry/instrumentation package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.40.0, < 0.41.2
- Patched version(s): 0.41.2
References
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- Passbolt Browser Extension leaks password information - CVE-2024-33669
- JSONata expression can pollute the "Object" prototype - CVE-2024-27307
- Tags:
- npm
- @opentelemetry/instrumentation
Anything's wrong? Let us know Last updated on August 18, 2023