CVE-2022-37617/ Prototype pollution found in resolve-shims.js #245
Comments
|
You can definitely overwrite the prototype for browserify-shim/lib/resolve-shims.js Line 130 in bae7ece But I'm not seeing a way that you could pollute the global scope, e.g., Beyond that, I'm not even sure overwriting browserify-shim/lib/resolve-shims.js Lines 99 to 100 in bae7ece No methods are called so I'm not seeing a way to achieve code execution. Would appreciate some clarification on whether there's a substantive vulnerability here or whether this was potentially vulnerable code identified through automated static analysis. In any case, guarding against prototype assignment is easy enough. |
|
Hello, The code has been flagged as a potentially vulnerable code and the CVE has the sink and the path details of the code. All the reports are based on the research work of my colleague (you can find her paper's link below) and I am reporting them here as per her analysis and records. https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - This is the published paper with the Github link to her static analysis tool. |
|
This whole package depends on adding a property to the global since that is what certain packages expect. In more modern scenarios where this is not desired/necessary browserify-shim is not used. Please stop reporting these issues of the same family here. It is noise and adds overhead to the maintainers work. |
Prototype pollution vulnerability in function resolveShims in resolve-shims.js in thlorenz browserify-shim 3.8.15 via the k variable in resolve-shims.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/
The text was updated successfully, but these errors were encountered: