-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype Pollution using .parse() #114
Comments
The Github advisory states this vulnerability has been fixed on The version The vulnerable code seems to be on the Line 127 in fa8e184
@TooTallNate will try to submit a PR to fix this vulnerability in the next few days, unless you want to fix yourself. |
Thanks for merging my PR @mreinstein . Would you please release a new version of |
published as 3.0.5 on npm. Thanks for the PR! |
this issue still happen on version 3.0.5 with nexus scan. |
@Donhv the problem appears to be that NIST has the vulnerability listed as addressed in 3.0.4: ...but it was actually addressed in 3.0.5. Nexus has listed an "advisory deviation notice" because they tested 3.0.4 and found the vulnerability still extant. I've informed Nexus and hopefully they will update the status of 3.0.5. (Kudos that they go through the effort of verifying!) |
Updated info. Looks like dist directory is missing the patch: |
Hi, There's a prototype pollution in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the
length
parameter.The text was updated successfully, but these errors were encountered: