jaysaurus/co-koa-cli

A Command Line Interface for installing and managine Co.Koa applications.
Vulnerabilities 1 via 1 paths
Dependencies 83
Source GitHub
Commit 8404b50e

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0
low severity
new

Information Disclosure

  • Vulnerable module: kind-of
  • Introduced through: run-sequence@2.2.1

Detailed paths

  • Introduced through: co-koa-cli@jaysaurus/co-koa-cli#8404b50e61b6845e8f8868727a14235dafd4009d run-sequence@2.2.1 plugin-error@0.1.2 extend-shallow@1.1.4 kind-of@1.1.0

Overview

kind-of is a package that gets the native type of a value.

Affected versions of this package are vulnerable to Information Disclosure. It leverages the built-in constructor of unsafe user-input to detect type information. However, a crafted payload can overwrite this built in attribute to manipulate the type detection result.

PoC by Feng Xiao

var kindOf = require('kind-of');


var user_input = {
  user: 'barney',
  age: 36,
  active: true,
  "constructor":{"name":"Symbol"}
};
console.log(kindOf(user_input));

Remediation

Upgrade kind-of to version 6.0.3 or higher.

References