backbone-query-parameters icon indicating copy to clipboard operation
backbone-query-parameters copied to clipboard

Published 20 hours ago verified publisher icon jhudson8

Prototype Pollution Vulnerability (CVE-2021-20085)

Open brianadeloye opened this issue 3 years ago • 0 comments

backbone-query-parameters is vulnerable to prototype pollution (CVE-2021-20085). The readme indicates this package has been unmaintained going on six years, so I'm not opening this issue with the expectation that it will get fixed. I'm opening it to raise awareness since this was reported to npm, and they've indicated they're not going to publish a security advisory. If you're using this package, I think the only options to address this vulnerability are:

  • Fork it and develop a fix on your own, or
  • Stop using the library

References:

  • https://bugcrowd.com/disclosures/57b28008-4653-4dec-88c3-4d38e40023ff/toolbox-teslamotors-com-html-injection-via-prototype-pollution-potential-xss
  • https://github.com/BlackFan/client-side-prototype-pollution/blob/master/pp/backbone-qp.md
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20085

brianadeloye avatar Apr 30 '21 18:04 brianadeloye