Description

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.

Remediation

References

https://github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291

https://github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6

Related Vulnerabilities

CVE-2023-45811 Vulnerability in npm package deobfuscator

CVE-2021-37713 Vulnerability in npm package tar

CVE-2021-25931 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2023-34468 Vulnerability in maven package org.apache.nifi:nifi-hikari-dbcp-service

CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-service

Severity

Low

Classification

CWE-1321 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Tags

Patch Vendor Advisory