Description
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.
Remediation
References
https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1
https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html
https://snyk.io/vuln/SNYK-JS-INI-1048974
Related Vulnerabilities
CVE-2017-13098 Vulnerability in maven package com.madgag.spongycastle:bctls-jdk15on
CVE-2020-13934 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2020-26256 Vulnerability in maven package org.webjars.npm:fast-csv
CVE-2020-10683 Vulnerability in maven package org.dom4j:dom4j
CVE-2022-36007 Vulnerability in maven package com.github.jlangch:venice