wormhole
wormhole copied to clipboard
wormhole-foundation
Patched Prototype Pollution in minimist
Patched Update clients/js/package-lock.json Upgrade minimist to version 1.2.6
"dependencies": {
"minimist": ">=1.2.5"
}
"devDependencies": {
"minimist": ">=1.2.6"
}
Description of the bugs:
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
CVE-2021-44906
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This change is 
Deploy request for tubular-dango-1656b2 pending review.
Visit the deploys page to approve it
| Name | Link |
|---|---|
| Latest commit | 04a5af3e2d26f12016cabfeefb8a5b48d5cd18bc |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bug Description :
I searching about the vulnerabilities/cve at your code effected to CVE-2021-44906 bellows the (PoCs) Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
A vulnerability was found in Minimist up to 1.2.5. It has been declared as critical. Affected by this vulnerability is the function setKey of the file index.js. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-94. The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. The impact remains unknown.
Impact
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') https://nvd.nist.gov/vuln/detail/CVE-2021-44906
