Lucene search

GoogleOSV:GHSA-3Q56-9CC2-46J4

HistoryJul 01, 2024 - 3:32 p.m.

robinweser fast-loops vulnerable to prototype pollution

2024-07-0115:32:22

Google

osv.dev

robinweser fast-loops

version 1.1.3

prototype pollution

objectmergedeep

arbitrary code execution

denial of service

software

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.1

Confidence

High

JSON

robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function objectMergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

References

gist.github.com/mestrtee/f09a507c8d59fbbb7fd40880cd9b87ed

github.com/robinweser/fast-loops

github.com/robinweser/fast-loops/commit/6743acf64af832b7a0bbecf95cb4c7d95a3b766e

nvd.nist.gov/vuln/detail/CVE-2024-39008

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

8.1

Confidence

High

JSON

Related for OSV:GHSA-3Q56-9CC2-46J4