Vulnerability type: Prototype Pollution
Affected Package:
- Product: burrito
- Version: 0.2.12
Vulnerability Location(s):
tariqhawis
/ cached47k_nov18.json
Created
February 28, 2025 18:47
47k NPM Dataset (snapshot on Nov 18,2024)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "_id": { | |
| "$oid": "673b7283f7ba6a7c4fe13ffd" | |
| }, | |
| "package_name": "download-git-repo", | |
| "version": "3.0.2", | |
| "__v": 0, | |
| "downloads": 109332, | |
| "exploredFuncs": 1, |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "package_name": "@contentful/f36-skeleton", | |
| "last_week": 26547 | |
| }, | |
| { | |
| "package_name": "@clinic/trace-events-parser", | |
| "last_week": 28670 | |
| }, | |
| { |
tariqhawis
/ chartist-js.md
Created
July 31, 2024 03:15
Vulnerability Advisory: Prototype Pollution in chartist, versions <= 1.3.0
Vulnerability type: Prototype Pollution
Vendor of the Package: chartist-js
Affected Package:
- Product: chartist
- Version: 1.3.0
tariqhawis
/ CVE-2024-38998.md
Last active
September 11, 2024 18:12
[CVE-2024-38998] A Prototype Pollution vulnerability Affecting requirejs package, versions < 2.3.7
Affected versions of this module are vulnerable to a Prototype Pollution vulnerability, due to missing check if the argument resolves to the object prototype. This allows the attacker to inject malicious object property using the built-in Object property __proto__ which is recursively assigned to all the objects in the program.
(async () => {
const lib = await import('requirejs');
tariqhawis
/ google-protobuf-pp.md
Last active
July 29, 2024 18:34
Prototype Pollution in google-protobuf, All versions
Affected versions of this module are vulnerable to Prototype Pollution due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using a built-in Object property such as __proto__ which recursively assigned to all the objects in the program.
(async () => {
const goog = await import('google-protobuf');
var victim = {}
tariqhawis
/ CVE-2024-29651.md
Last active
October 2, 2024 02:49
(CVE-2024-29651) Prototype Pollution vulnerability affecting @apidevtools/json-schema-ref-parser, versions 11.0.0, 11.1.0
json-schema-ref-parser is an NPM package for Parse, Resolve, and Dereference JSON Schema $ref pointers.
Affected versions of this package are vulnerable to Prototype Pollution. An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to this function.
The vulnerable functions: bundle(), parse(), resolve(), dereference() passes the argument options to an unsafe merge method, which recursively copy properties from one object to another. Such a function has the potential to modify any object reachable from the destination object,
and the built-in Object.prototype is usually reachable through the special properties __proto__ and constructor.prototype.
tariqhawis
/ CVE-2024-29650.md
Last active
May 18, 2024 02:33
(CVE-2024-29650) Prototype Pollution vulnerability affecting @thi.ng/paths module, versions <=5.1.62
Affected versions of this package (<=5.1.62) are vulnerable to prototype pollution via mutIn and mutInManyUnsafe
An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
In the PoC code below, paths.mutIn invoked with a polluted __proto__ property, this property passed as an argument from mutIn() in mut-in.js to defMutator() in mutator.js and then assigned to the destination as follows:
return s ? (t = s[a]) ? (t[b] = x, s) : void 0 : void 0;
tariqhawis
/ web3-utils-pp.md
Last active
July 30, 2024 16:10
[CVE-2024-21505] Prototype Pollution Affecting web3-utils (4.1.1)
Overview
web3-utils is a sub-package of web3.js Web3.js whic is a TypeScript implementation of the Ethereum JSON RPC API and related tooling maintained by ChainSafe Systems.
web3-utils contains useful utility functions for Dapp developers.
Attack Vector
Affected versions of this package are vulnerable to Prototype Pollution via the utility functions format and mergeDeep,
An attacker can manipulate the prototype of an object, potentially leading to the alteration of behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.
tariqhawis
/ CVE-2024-24293.md
Last active
May 18, 2024 03:40
(CVE-2024-24293) Prototype Pollution Affecting @bit/loader npm package
Affected versions of this package are vulnerable to Prototype Pollution where the merge is invoked in M function unsafely Since the infected e argument with proto object missing check if it resolves to the object prototype, the malicious property are then copied on the Object prototype by the merge operation to the empty object and recursively affected all the objects in the program.
(async () => {
const lib = await import('@bit/loader');NewerOlder