derby@0.6.0-alpha9 vulnerabilities

MVC framework making it easy to write realtime, collaborative applications that run in both Node.js and browsers.

Direct Vulnerabilities

Known vulnerabilities in the derby package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation due to the this.lastSegment variable in the emit function not being sanitized. An attacker can manipulate the this.lastSegment variable to set it to __proto__, leading to prototype pollution.

Notes:

1)If the application author has atypical HTML templates that feed user input into an object key.

  1. Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most applications.

How to fix Improper Input Validation?

Upgrade derby to version 2.3.2, 3.0.2, 4.0.0-beta.11 or higher.

<2.3.2 >=3.0.0 <3.0.2 >=4.0.0-beta.2 <4.0.0-beta.11