Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2g4c-8fpm-c46v: web3-utils Prototype Pollution vulnerability

Impact:

The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object’s prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function.

Patches:

It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1.

Workarounds:

None

ghsa
#vulnerability#web#nodejs#js#git

Package

npm web3-utils (npm)

Affected versions

>= 4.0.1, < 4.2.1

Patched versions

4.2.1

Description

Impact:

The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object’s prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function.

Patches:

It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1.

Workarounds:

None

References

  • GHSA-2g4c-8fpm-c46v
  • https://nvd.nist.gov/vuln/detail/CVE-2024-21505
  • web3/web3.js@8ed041c
  • https://security.snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337

jdevcs published to web3/web3.js

Mar 27, 2024

Published to the GitHub Advisory Database

Mar 27, 2024

Reviewed

Mar 27, 2024

Last updated

Mar 27, 2024

Related news

GHSA-87qp-7cw8-8q9c: web3-utils Prototype Pollution vulnerability

Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP