Description

This affects the package total.js before 3.4.7. The set function can be used to set a value into the object according to the path. However the keys of the path being set are not properly sanitized, leading to a prototype pollution vulnerability. The impact depends on the application. In some cases it is possible to achieve Denial of service (DoS), Remote Code Execution or Property Injection.

Remediation

References

https://docs.totaljs.com/latest/en.html%23api~FrameworkUtils~U.set

https://github.com/totaljs/framework/blob/master/utils.js%23L6606

https://github.com/totaljs/framework/blob/master/utils.js%23L6617

https://github.com/totaljs/framework/commit/b3f901561d66ab799a4a99279893b94cad7ae4ff

https://snyk.io/vuln/SNYK-JS-TOTALJS-1046671

Related Vulnerabilities

CVE-2016-0762 Vulnerability in maven package tomcat:catalina

CVE-2023-34238 Vulnerability in npm package gatsby

CVE-2022-0613 Vulnerability in npm package urijs

CVE-2022-25644 Vulnerability in npm package @pendo324/get-process-by-name

CVE-2020-7716 Vulnerability in npm package deeps

Severity

Critical

Tags

Broken Link Patch Third Party Advisory Exploit NVD-CWE-Other