Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes
References
Link | Resource |
---|---|
https://github.com/ramda/ramda/pull/3192 | Issue Tracking Patch Third Party Advisory |
https://jsfiddle.net/3pomzw5g/2/ | Exploit Third Party Advisory |
Configurations
History
07 Nov 2023, 03:39
Type | Values Removed | Values Added |
---|---|---|
Summary | Prototype poisoning in function mapObjIndexed in Ramda 0.27.0 and earlier allows attackers to compromise integrity or availability of application via supplying a crafted object (that contains an own property "__proto__") as an argument to the function. NOTE: the vendor disputes this because the observed behavior only means that a user can create objects that the user didn't know would contain custom prototypes |
Information
Published : 2022-05-10 11:15
Updated : 2024-08-04 04:16
NVD link : CVE-2021-42581
Mitre link : CVE-2021-42581
CVE.ORG link : CVE-2021-42581
JSON object : View
Products Affected
ramdajs
- ramda
CWE
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')