Possible Prototype Pollution #251
Comments
|
Thanks for finding and fixing this! I had it create a pull request (#252) and I'll make sure it gets merged and released soon. |
|
Thanks a lot. |
|
By the way, should we submit it to github security advisory and npm advisory, which will automatically alert downstream package and app? And, can we apply for an CVE ID for the vuln, which can help me a lot? |
|
any progress here? |
|
Any reason why this issue is still open? |
|
Despite a fix being merged there's been no release yet :( It would be great if we could cut a 2.0.3 release |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have found a possible prototype pollution vuln in this package.
With speficific input attckers can define properties on prototype, which will lead to prototype pollution.
Also I have made a tiny fix to prevent acccess prototype, which may fix this vuln.
418sec#1
Should we accept the pr or write some alert to users to do not use untrusted input?
The text was updated successfully, but these errors were encountered: