0.002 Low
EPSS
Percentile
59.4%
steal is vulnerable to prototype pollution. An attacker can inject properties into existing construct prototypes via the module.exports function of babel.js and modify attributes such as __proto__, constructor, and prototype.
module.exports
babel.js
__proto__
constructor
prototype
github.com/advisories/GHSA-wc4x-qmr2-rj8h
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L4216
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L4569
github.com/stealjs/steal/issues/1534