Description
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Remediation
References
https://snyk.io/vuln/SNYK-JS-INI-1048974
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
Related Vulnerabilities
CVE-2022-29894 Vulnerability in npm package strapi
CVE-2021-21267 Vulnerability in npm package schema-inspector
CVE-2022-25845 Vulnerability in maven package com.alibaba:fastjson
CVE-2020-27543 Vulnerability in npm package restify-paginate
CVE-2019-12043 Vulnerability in maven package org.webjars.bower:remarkable