Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-87qp-7cw8-8q9c: web3-utils Prototype Pollution vulnerability

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object’s prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

ghsa
#vulnerability#web#git

web3-utils Prototype Pollution vulnerability

High severity GitHub Reviewed Published Mar 25, 2024 to the GitHub Advisory Database • Updated Mar 25, 2024

Related news

GHSA-2g4c-8fpm-c46v: web3-utils Prototype Pollution vulnerability

### Impact: The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object's prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function. ### Patches: It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1. ### Workarounds: None

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP