0.002 Low
EPSS
Percentile
59.4%
steal is vulnerable to prototype pollution. The optionName variable in main.js is not validated, allowing an attacker to modify object by accessing it through the ‘proto’ property of object.
main.js
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L2168
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L2194
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L647
github.com/stealjs/steal/issues/1533