EPSS
Percentile
59.3%
steal is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the module.exports function of babel.js and modify attributes such as __proto__, constructor, and prototype.
module.exports
babel.js
__proto__
constructor
prototype
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L29165
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L29169
github.com/stealjs/steal/issues/1535