@cdr0/sg is vulnerable to prototype pollution. The vulnerability is due to improper handling of user-supplied inputs within ref.js
, specifically allowing manipulation of the __proto__
and constructor.prototype
properties. This allows attackers to alter the behavior of all objects inheriting from the affected prototype, potentially escalating to denial of service or remote code execution.