SB2021031224 - Prototype pollution in mcollina msgpack5
Published: March 12, 2021 Updated: June 2, 2023
Security Bulletin ID
SB2021031224
CSH Severity
Medium
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Prototype pollution (CVE-ID: CVE-2021-21368)
The vulnerability allows a remote user to execute arbitrary JavaScript code.
The vulnerability occrures when msgpack5 decodes a map containing a key "__proto__", it assigns the decoded value to __proto__. Object.prototype.__proto__ is an accessor property for the receiver's prototype. A remote user can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/mcollina/msgpack5/releases/tag/v3.6.1
- https://github.com/mcollina/msgpack5/releases/tag/v5.2.1
- https://github.com/mcollina/msgpack5/releases/tag/v4.5.1
- https://github.com/mcollina/msgpack5/commit/d4e6cb956ae51c8bb2828e71c7c1107c340cf1e8
- https://github.com/mcollina/msgpack5/security/advisories/GHSA-gmjw-49p4-pcfm
- https://www.npmjs.com/package/msgpack5