Description

This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Remediation

References

https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada

https://github.com/firebase/firebase-js-sdk/pull/4001

https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324

Related Vulnerabilities

CVE-2022-43433 Vulnerability in maven package io.jenkins.plugins:screenrecorder

CVE-2023-29527 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui

CVE-2022-1245 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-kar

CVE-2023-25765 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Third Party Advisory Exploit NVD-CWE-noinfo