Headline
GHSA-2g4c-8fpm-c46v: web3-utils Prototype Pollution vulnerability
Impact:
The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object’s prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function.
Patches:
It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1.
Workarounds:
None
Package
npm web3-utils (npm)
Affected versions
>= 4.0.1, < 4.2.1
Patched versions
4.2.1
Description
Impact:
The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object’s prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function.
Patches:
It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1.
Workarounds:
None
References
- GHSA-2g4c-8fpm-c46v
- https://nvd.nist.gov/vuln/detail/CVE-2024-21505
- web3/web3.js@8ed041c
- https://security.snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337
jdevcs published to web3/web3.js
Mar 27, 2024
Published to the GitHub Advisory Database
Mar 27, 2024
Reviewed
Mar 27, 2024
Last updated
Mar 27, 2024
Related news
Versions of the package web3-utils before 4.2.1 are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading to the alteration of the behavior of all objects inheriting from the affected prototype by passing specially crafted input to these functions.