Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0NTItNnJmYy12cnZ4
Prototype Pollution in open-graph
This affects the package open-graph before 0.2.6. The function parse could be tricked into adding or modifying properties of Object.prototype using a proto or constructor payload.
Permalink: https://github.com/advisories/GHSA-g452-6rfc-vrvxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0NTItNnJmYy12cnZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-g452-6rfc-vrvx, CVE-2021-23419
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23419
- https://github.com/samholmes/node-open-graph/commit/a0cef507a90adaac7dbbe9c404f09a50bdefb348
- https://snyk.io/vuln/SNYK-JS-OPENGRAPH-1536747
- https://github.com/advisories/GHSA-g452-6rfc-vrvx
Blast Radius: 15.8
Affected Packages
npm:open-graph
Dependent packages: 39Dependent repositories: 950
Downloads: 9,721 last month
Affected Version Ranges: < 0.2.6
Fixed in: 0.2.6
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4
All unaffected versions: 0.2.6