BalckDuck issue BDSA-2022-3013|CVE-2022-37598 #5781

kuzmenkovaES · 2023-01-18T23:40:40Z

UglifyJS Vulnerable to Prototype Pollution via 'DEFNODE' Function

Uglify version 3.17.4

JavaScript input
There is the BlackDuck issue
BDSA BDSA-2022-3013
[CVE-2022-37598]
Published
Oct 24, 2022
Updated
Dec 19, 2022
The link to CVE https://nvd.nist.gov/vuln/detail/CVE-2022-37598
Description:

UglifyJS is vulnerable to prototype pollution through trusting unsanitized user input. A remote attacker could potentially leverage this to cause property injection, altering the flow of critical data throughout the application, a denial-of-service (DoS) or potentially execute arbitrary code depending on how objects are used by an application.

Note: The vendor disputes the validity of this vulnerability, asserting:

the methodsargument is always statically determined by the method calls that exist in ast.js and therefore always under the complete control of the authors of this library.

Could you please fix the issue?
Please let me know if you need additional information.
Best regards,
Kate.

alexlamsl · 2023-01-19T01:22:57Z

#5699 (comment)

alexlamsl added duplicate invalid labels Jan 19, 2023

alexlamsl closed this as completed Jan 19, 2023

RustyButtons mentioned this issue Jun 1, 2023

[CVE-2022-37598]/ Prototype pollution found in ast.js #5699

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BalckDuck issue BDSA-2022-3013|CVE-2022-37598 #5781

BalckDuck issue BDSA-2022-3013|CVE-2022-37598 #5781

kuzmenkovaES commented Jan 18, 2023

alexlamsl commented Jan 19, 2023

BalckDuck issue BDSA-2022-3013|CVE-2022-37598 #5781

BalckDuck issue BDSA-2022-3013|CVE-2022-37598 #5781

Comments

kuzmenkovaES commented Jan 18, 2023

alexlamsl commented Jan 19, 2023