#VU83421 Prototype pollution in flat
Vulnerability identifier: #VU83421
Vulnerability risk: Critical
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-1321
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
flat
Other software /
Other software solutions
Vendor: hughsk (Hugh Kennedy)
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists in the function unflatten of the file index.js. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versions
flat: 1.0.0 - 5.0.1
External links
http://github.com/hughsk/flat/pull/106
http://vuldb.com/?ctiid.216777
http://vuldb.com/?id.216777
http://github.com/hughsk/flat/issues/105
http://github.com/hughsk/flat/releases/tag/5.0.1
http://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
