Prototype pollution

[gkmr507]

I would like to report a Prototype pollution vulnerability in "fast-json-stable-stringify".

If required I can submit a POC through a secured channel. Thanks.

[asafbiton]

Hi @anonymous507, I'm working for Snyk, and I see that this repository is not heavily maintained. May I offer you disclose this vulnerability to us via our vulnerability disclosure form, or email us directly at report@snyk.io? We can then take it up with the maintainers, following a responsible disclosure process. Thanks!

[epoberezkin]

Please email evgeny@poberezkin.com

[epoberezkin]

Or actually as it is a part of Tidelift subscription it is best to report via their process - they will creat CVE and disclose once fixed @anonymous507

@asafbiton re “not maintained” is not factual, it would be correct to say “not actively developed” - as it is a simple and stable library. Please do not suggest alternative security reporting channels - the correct one is available in readme.

[asafbiton]

@epoberezkin apologies for the misunderstanding!

I would also like to point out a small misunderstanding. We are not an alternative at all! Our aim is to collaborate with researchers and maintainers to make OS code more secure. All we do is serve as a mediator between reporters and maintainers and we always make sure to follow a responsible disclosure process and use the correct channels if available. We also of course verify the POC and make sure it’s indeed a vulnerability before doing so, and in that way make the process easier for both reporters and maintainers :)

Feel free to read more about our work here: https://snyk.io/blog/vulnerability-disclosure-program/

I hope this makes sense. In any case - we are always happy to help, in this case or otherwise 😊

[epoberezkin]

Thank you!

[MarcinHoppe]

This issue has also been reported to the Node.js Ecosystem program on HackerOne, and we're coordinating the fix and disclosure there.

[epoberezkin]

Investigating - TBC.