Description
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.
Remediation
References
https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291
https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6
Related Vulnerabilities
CVE-2018-11775 Vulnerability in maven package org.apache.activemq:activemq-all
CVE-2023-30515 Vulnerability in maven package io.jenkins.plugins:thycotic-devops-secrets-vault
CVE-2021-23337 Vulnerability in npm package lodash.template
CVE-2022-34115 Vulnerability in maven package io.dataease:dataease-plugin-common
CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-jms-processors