RSEC-2025-1 Risk of __proto__ pollution Vulnerability

The plotly R package up through the latest 4.11.0 includes plotly.js library 2.11.1. Plotly.js releases prior to version 2.25.2 have a risk of proto being polluted in expandObjectPaths or nestedProperty...

GHSA-MH29-5H37-FV8M js-yaml has prototype pollution in merge (<<)

Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. Patches Problem is patched in js-yaml 4.1.1 and 3.14.2...

OESA-2024-1403 nodejs-qs security update

This is a query string parser for node and the browser supporting nesting, as it was removed from 0.3.x, so this library provides the previous and commonly desired behavior and twice as fast. Used by express, connect and others. Security Fixes: qs before 6.10.3, as used in Express before 4.17.3 a...

SUSE CVE-2023-46308

In Plotly plotly.js before 2.25.2, plot API calls have a risk of proto being polluted in expandObjectPaths or nestedProperty...

PT-2024-13352

Name of the Vulnerable Software and Affected Versions Plotly plotly.js versions prior to 2.25.2 Description The issue concerns plot API calls having a risk of proto being polluted in expandObjectPaths or nestedProperty. This could potentially lead to security issues, although specific details abo...

PT-2023-29701 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: Synchrony deobfuscator versions prior to 2.4.4 Description: A proto pollution vulnerability exists in the LiteralMap transformer, allowing crafted input to modify properties in the Object prototype. Successful exploitation could lead to...

express: "qs" prototype poisoning causes the hang of the node process

A flaw was found in the express.js npm package of nodejs:14 module stream. Express.js Express is vulnerable to a denial of service caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker can cause a...

DEBIAN-CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

Prototype Pollution

Overview extend2 is a forked from node-extend, the difference is overriding array as primitive when deep clone. Affected versions of this package are vulnerable to Prototype Pollution via the extend function due to unsafe recursive merge. POC: js var e = require "extend2" etrue, ,...

PT-2021-15527 · Npm · @Cookiex/Deep

Name of the Vulnerable Software and Affected Versions: @cookiex/deep versions prior to 0.0.7 Description: The issue allows pollution of the global proto object using the proto object. This can potentially lead to unintended behavior or security issues in applications that use the @cookiex/deep...

GHSA-6C3J-C64M-QHGQ XSS in jQuery as used in Drupal, Backdrop CMS, and other products

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...