doowb
commented
3 years ago This was patched in 6.0.3 so is not affected by this. (The linked CVE even says < 6.0.3.)
If you are having problems, try using this guide to ensure you have the latest patched version.
Service: FOSSA(app.fossa.com)
Vulnerability Code: CVE-2019-20149
Description: ctorName in index.js in kind-of v6.0.3 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by ‘constructor’: {‘name’:‘Symbol’}. Hence, a crafted payload can overwrite this built-in attribute to manipulate the type detection result.