[GHSA-rx8g-88g5-qh64] min-document vulnerable to prototype pollution#6392
Conversation
github-actions
bot
changed the base branch from
main
to
G-Rath/advisory-improvement-6392
There was a problem hiding this comment.
Pull Request Overview
This PR updates a GitHub Security Advisory (GHSA-rx8g-88g5-qh64) for a prototype pollution vulnerability in the min-document package. The changes reflect that version 2.19.1 fixes the vulnerability, adjusting severity and CVSS scoring accordingly.
- Updated vulnerability status from "last_affected" to "fixed" with version 2.19.1
- Increased severity from LOW to MODERATE and adjusted CVSS score
- Added reference to the pull request that fixed the vulnerability
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| "summary": "min-document vulnerable to prototype pollution", | ||
| "details": "A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.", | ||
| "details": "A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.", |
There was a problem hiding this comment.
The details field states 'The vulnerability remains unaddressed in the latest available version,' but this contradicts the update showing the vulnerability is fixed in version 2.19.1. This sentence should be removed or updated to reflect that the vulnerability has been addressed.
| "details": "A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.", | |
| "details": "A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the __proto__ property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes.", |
There was a problem hiding this comment.
Yes good catch, this suggestion should be applied
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" | ||
| "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
The CVSS score was changed by removing the '/E:P' (Exploit Maturity: Proof of Concept) metric, but the severity was increased from LOW to MODERATE. Verify that the CVSS score calculation aligns with the MODERATE severity classification, as removing the exploit maturity metric while increasing severity seems inconsistent.
There was a problem hiding this comment.
the original CVSS was considered invalid by the editor - I didn't change any of the supported toggles, I just had the editor recreate the score in a way it considered valid 🤷
advisory-database
bot
merged commit 53d9dfe
into
G-Rath/advisory-improvement-6392
|
Hi @G-Rath! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
Added patched version