user-agents icon indicating copy to clipboard operation
user-agents copied to clipboard

Published 20 hours ago verified publisher icon intoli

Security Vulnerability: CVE-2023-26139 underscore-keypath Prototype Pollution

Open mdwekat opened this issue 1 year ago • 1 comments

Description

I have identified a security vulnerability in one of the dependencies used by user-agents v1.0.1444. The dependency underscore-keypath is vulnerable to Prototype Pollution, as described in CVE-2023-26139.

Details

  • Affected Version: user-agents v1.0.1444
  • Vulnerable Dependency: underscore-keypath
  • CVE: CVE-2023-26139
  • Impact: Prototype Pollution can allow an attacker to inject arbitrary properties into existing objects. This can lead to various types of security vulnerabilities such as bypassing security checks or potentially unauthorized execution of code.

Steps to Reproduce

  1. Install the user-agents package using npm with the version v1.0.1444.
  2. Run npm audit in the project directory.

Thank you for your attention to this matter.

mdwekat avatar Aug 09 '23 23:08 mdwekat

There seems to be a PR #59 that should fix this issue.

modestfake avatar Oct 16 '23 00:10 modestfake