EPSS
Percentile
76.6%
steal is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the convertLater function of npm-convert.js and modify attributes such as __proto__, constructor, and prototype.
convertLater
npm-convert.js
__proto__
constructor
prototype
steal.com
stealjs.com
github.com/advisories/GHSA-93q5-3xpc-8vg3
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L362
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L371
github.com/stealjs/steal/issues/1526