Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1waDI4LXd3ZmotZnY3Zs4AATHz
Prototype Pollution in sds
This affects the package sds from 0.0.0. The library could be tricked into adding or modifying properties of the Object.prototype by abusing the set function located in js/set.js. Note: This vulnerability derives from an incomplete fix to CVE-2020-7618
Permalink: https://github.com/advisories/GHSA-ph28-wwfj-fv7fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1waDI4LXd3ZmotZnY3Zs4AATHz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-ph28-wwfj-fv7f, CVE-2022-25862
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25862
- https://github.com/monsterkodi/sds/blob/master/js/set.js
- https://snyk.io/vuln/SNYK-JS-SDS-2385944
- https://nvd.nist.gov/vuln/detail/CVE-2020-7618
- https://github.com/advisories/GHSA-ph28-wwfj-fv7f
Blast Radius: 2.3
Affected Packages
npm:sds
Dependent packages: 8Dependent repositories: 2
Downloads: 115 last month
Affected Version Ranges: <= 4.4.0
No known fixed version
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.12, 1.2.13, 1.2.17, 1.2.20, 1.2.22, 1.3.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.21, 1.4.22, 1.4.23, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.8.1, 1.9.0, 1.9.1, 1.11.0, 1.12.0, 1.14.0, 1.14.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.2.0, 4.0.0, 4.1.1, 4.2.0, 4.3.0, 4.4.0