Headline
GHSA-wwxh-74fx-33c6: Possible prototype pollution in metadata record, when using meta decorator
Impact
Possible prototype pollution for the MetadataRecord, when merged with a base class’ metadata object, in meta decorator from the @aedart/support package.
The likelihood is questionable, given that a class’ metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.
Patches
Has been patched in version 0.6.1.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-30857
Possible prototype pollution in metadata record, when using meta decorator
Low severity GitHub Reviewed Published Apr 28, 2023 in aedart/ion • Updated May 1, 2023
Package
npm @aedart/support (npm)
Affected versions
< 0.6.1
Impact
Possible prototype pollution for the MetadataRecord, when merged with a base class’ metadata object, in meta decorator from the @aedart/support package.
The likelihood is questionable, given that a class’ metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can become a vulnerability.
Patches
Has been patched in version 0.6.1.
References
- GHSA-wwxh-74fx-33c6
- https://nvd.nist.gov/vuln/detail/CVE-2023-30857
- aedart/ion@c3e2ee0
Published to the GitHub Advisory Database
May 1, 2023
Related news
@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version `0.6.1`, there is a possible prototype pollution issue for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@aedart/support` package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via `meta()`. Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version `0.6.1`.