-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-37609]/Prototype pollution found in options.js. #2106
Comments
This report is incomplete to the point of useless. The version in the report as over a year out of date. Please reopen with specific line numbers or other details. |
@bitwiseman please kindly analyze CVE-2022-37609 which was reported recently with high Base Score: [9.8 CRITICAL] and provide assessments, thanks. |
The suspicious code identified as weakness is here, according to cve record:
Above testing is passed in node.js and browser(chrome) A merge function that can leads to prototype pollution must be recursive or cop depth >1.
But that line of js_beautify code only do 1 level copy.
In node.js and browser(Chrome), it cannot make the pollution happen. |
@bitwiseman I see that the tag (status: needs more info) has been removed, but the code has not been updated with @jackieju 's fix. I'm kinda confused - was a fix provided, or is it saying that the sus code is in fact not sus? |
@meena-kaliswamy
And since js-beautify doesn't do that, no update is needed. |
Prototype pollution vulnerability in beautify-web js-beautify 1.13.7 via the name variable in options.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/
The text was updated successfully, but these errors were encountered: