Prototype Pollution

Elysia is vulnerable to Prototype Pollution. The vulnerability is due to improper deep-merge handling in the mergeDeep function when merging schema validation results, which allows an attacker to inject a proto property and, when chained with another flaw, achieve remote code execution...

Prototype Pollution

Overview org.webjars.npm:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto properties. This...

Prototype Pollution

Overview org.webjars.bower:linkifyjs is a Find URLs, email addresses, hashtags and @mentions in plain-text strings, then convert them into HTML links. Affected versions of this package are vulnerable to Prototype Pollution via the internal assign helper due to improper filtering of the proto...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution through the function s.contexts..configure function. An attacker can execute arbitrary code or cause a denial of service by injecting arbitrary properties into the object prototype. PoC js async = const lib = await...

Prototype Pollution

Overview lutils is an A few reliable utils. Affected versions of this package are vulnerable to Prototype Pollution via the main merge function. PoC const lt = require'lutils'; let obj = ; console.log"Before being polluted: " + obj.polluted; var EVILJSON = JSON.parse'"proto":"polluted":true';...

Prototype Pollution

Overview properties-reader is a Properties file reader for Node.js Affected versions of this package are vulnerable to Prototype Pollution. PoC by Eugene Lim: payload.properties proto polluted = polluted poc.js: var propertiesReader = require'properties-reader';...