GHSA-5rrq-pxf6-6jx5

ADVISORY - github

Summary

Impact

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Patches

The forge.debug API and related functions were removed in 1.0.0.

Workarounds

Don't use the forge.debug API directly or indirectly with untrusted input.

References

https://www.huntr.dev/bounties/1-npm-node-forge/

For more information

If you have any questions or comments about this advisory:

Open an issue in forge.
Email us at support@digitalbazaar.com.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-1321⁠

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

GitHub

CREATED

3 years ago

UPDATED

3 years ago

ADVISORY IDGHSA-5rrq-pxf6-6jx5⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

N/Alow

GitLab

CREATED

3 years ago

UPDATED

3 years ago

ADVISORY ID

GMS-2022-66

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-937⁠

CVSS SCORE

N/Aunspecified