Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMzcHgtdjljNy1tNzM0
Prototype Pollution in mithril
Affected versions of mithril
are vulnerable to prototype pollution. The function parseQueryString
may allow a malicious user to modify the prototype of Object
, causing the addition or modification of an existing property that will exist on all objects. A payload such as __proto__%5BtoString%5D=123
in the query string would change the toString()
function to 123
.
Recommendation
If you are using mithril 2.x, upgrade to version 2.0.2 or later.
If you are using mithril 1.x, upgrade to version 1.1.7 or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWMzcHgtdjljNy1tNzM0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 4 years ago
Updated: almost 2 years ago
Identifiers: GHSA-c3px-v9c7-m734
References: Blast Radius: 0.0
Affected Packages
npm:mithril
Dependent packages: 413Dependent repositories: 2,115
Downloads: 66,920 last month
Affected Version Ranges: >= 2.0.0, < 2.0.2, < 1.1.7
Fixed in: 2.0.2, 1.1.7
All affected versions: 0.1.0, 0.1.2, 0.1.3, 0.1.4, 0.1.12, 0.1.13, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.2.0, 0.2.3, 0.2.4, 0.2.5, 0.2.7, 0.2.8, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 2.0.1
All unaffected versions: 1.1.7, 2.0.3, 2.0.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.8