0.003 Low
EPSS
Percentile
65.4%
steal is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the convertLater function of npm-convert.js and modify attributes such as __proto__, constructor, and prototype.
convertLater
npm-convert.js
__proto__
constructor
prototype
github.com/advisories/GHSA-gvjw-8mmr-8f6g
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L362
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/npm-convert.js#L369
github.com/stealjs/steal/issues/1527