New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability package dependency "defaults-deep" #4971
Comments
Hi. Thanks for the report. This is being addressed fast. |
@pi0 Can you please explain shortly how you fixed that? (I followed the 2 links but ...) |
For clarification as also described in CVE-2018-16486 the impact is possibly more depending on the application. and no nuxt users are affected for sure because options to the middleware are not from user input but only from For general: I submitted the fix to prevent accepting |
Thanks for your contribution to Nuxt.js!
Issues that are labeled as |
Version
v2.4.3
Reproduction link
https://www.npmjs.com/advisories/778
Steps to reproduce
Please fix this vulnerability in your dependency tree:
nuxt > @nuxt/core > @nuxt/server > serve-placeholder > defaults-deep
What is expected ?
0 vulnerabilities found when audit packages.
As no patch is currently available for this vulnerability it is our recommendation to select another module that can provide this functionality.
What is actually happening?
All versions of defaults-deep are vulnerable to prototype pollution. Provided certain input defaults-deep can add or modify properties of the Object prototype. These properties will be present on all objects.
Additional comments?
https://hackerone.com/reports/380878
The text was updated successfully, but these errors were encountered: