-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible Prototype Pollution #251
Comments
Thanks for finding and fixing this! I had it create a pull request (#252) and I'll make sure it gets merged and released soon. |
Thanks a lot. |
By the way, should we submit it to github security advisory and npm advisory, which will automatically alert downstream package and app? And, can we apply for an CVE ID for the vuln, which can help me a lot? |
any progress here? |
Any reason why this issue is still open? |
Despite a fix being merged there's been no release yet :( It would be great if we could cut a 2.0.3 release |
I have found a possible prototype pollution vuln in this package.
With speficific input attckers can define properties on prototype, which will lead to prototype pollution.
Also I have made a tiny fix to prevent acccess prototype, which may fix this vuln.
418sec#1
Should we accept the pr or write some alert to users to do not use untrusted input?
The text was updated successfully, but these errors were encountered: