GHSA-V8W9-8MX6-G223 Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true })

Summary When using parseBody dot: true in HonoRequest, specially crafted form field names such as proto.x could create objects containing a proto property. If the parsed result is later merged into regular JavaScript objects using unsafe merge patterns, this may lead to prototype pollution in the...

Prototype Pollution

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Prototype Pollution via the sandbox implements a protection mechanism using the isGlobal flag in the Prop class. An attacker can modify host built-in prototypes by laundering the...

Prototype Pollution

Overview org.webjars.npm:seroval is a Stringify JS values Affected versions of this package are vulnerable to Prototype Pollution in the JSON deserialization process. An attacker can manipulate the prototype of objects by supplying malicious object keys during deserialization. Details Prototype...

Prototype Pollution

Overview org.webjars.npm:expr-eval is a WebJar for expr-eval Affected versions of this package are vulnerable to Prototype Pollution via unrestricted member access IMEMBER and user-defined functions IFUNDEF in the expression evaluator. An attacker can execute arbitrary JavaScript code by providin...

Prototype Pollution

Overview linkifyjs is a Find URLs, email addresses, hashtags and @mentions in plain-text strings, then convert them into HTML links. Affected versions of this package are vulnerable to Prototype Pollution via the internal assign helper due to improper filtering of the proto property. An attacker...

Prototype Pollution

Overview org.webjars.npm:eazy-logger is a Simple cli logger Affected versions of this package are vulnerable to Prototype Pollution in the Logger function. Details Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into...

Prototype Pollution

Overview style-dictionary is a Style once, use everywhere. A build system for creating cross-platform styles. Affected versions of this package are vulnerable to Prototype Pollution. PoC const StyleDictionary = require'style-dictionary'; const obj = ; let opts =...

Prototype Pollution

Overview node-dig is a This library enables you to access nested elements in Object. Affected versions of this package are vulnerable to Prototype Pollution via the main functionality. PoC const nodeDig = require"node-dig"; console.log"Prototype before dig", .isAdmin; nodeDig, "proto", "isAdmin",...

Prototype Pollution

Overview gsap is a GSAP is a JavaScript library for building high-performance animations that work in every major browser. Animate CSS, SVG, canvas, React, Vue, WebGL, colors, strings, motion paths, generic objects...anything JavaScript can touch! The ScrollTrigger plug Affected versions of this...

Prototype Pollution

Overview rxdb is a RxDB short for Reactive Database is a NoSQL-database for JavaScript Applications like Websites, hybrid Apps, Electron-Apps, Progressive Web Apps and NodeJs. Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js...

Prototype Pollution

Overview simpl-schema is a schema validation package that supports direct validation of MongoDB update modifier objects. Affected versions of this package are vulnerable to Prototype Pollution. PoC const SimpleSchema = require"simpl-schema".default; let obj = ; console.log"Before : " +...

Prototype Pollution

Overview pathval is an Object value retrieval given a string path Affected versions of this package are vulnerable to Prototype Pollution. PoC var pathval = require'pathval'; var obj = ; pathval.setPathValueobj, 'proto.polluted', true; console.logpolluted; // true Details Prototype Pollution is a...

Prototype Pollution

Overview flat is a Take a nested Javascript object and flatten it, or unflatten an object with delimited keys Affected versions of this package are vulnerable to Prototype Pollution. PoC var unflatten = require'flat'.unflatten; unflatten 'proto.polluted': true ; console.logpolluted; // true Detai...

Prototype Pollution

Overview lodash is an utility library delivering consistency, modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution. The functions merge, mergeWith, and defaultsDeep could be tricked into adding or modifying properties of Object.prototype. This...