Skip to content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in node-forge util.setPath API

Low
davidlehn published GHSA-wxgw-qj99-44c2 Jan 6, 2022

Package

npm node-forge (npm)

Affected versions

< 0.10.0

Patched versions

0.10.0

Description

Impact

forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.

Patches

The forge.util.setPath API and related functions were removed in 0.10.0.

Workarounds

Don't call forge.util.setPath directly or indirectly with untrusted keys.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2020-7720

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.