Closed lelecolacola123 closed 1 year ago
Github just published this vulnerability here: https://github.com/advisories/GHSA-89qm-hm2x-mxm3
cc @kimmobrunfeldt
Also being registered by Synk scan https://security.snyk.io/vuln/SNYK-JS-PROGRESSBARJS-3184152
progressbar.js è incluso in bootstrap italia 2.x , non riesco a passare i test di vulnerabilità news a riguardo?
Does the POC in the issue description work for anyone? I was going to take a stab at this issue, but I always get this result:
Before: undefined
After: undefined
Fixed in release 1.1.1 by using lodash.merge instead of custom extend code. The code was written at a time when npm for frontend dependency management was still considered a new thing. There's also plenty other old code relics such as vendor prefixes in stylings. The build system is very old so to be able to even npm install I just removed all tests.
Hi!There's a prototype pollution vulnerability in function extend() in the file utils.js.Affected versions of this package are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.the risk locate is in here: https://github.com/kimmobrunfeldt/progressbar.js/blob/74536b9eeeaaf51144706d918ed5a0a679631d96/src/utils.js#L20 https://github.com/kimmobrunfeldt/progressbar.js/blob/74536b9eeeaaf51144706d918ed5a0a679631d96/src/utils.js#L18 and the POC is as follow: var progressbar = require("progressbar.js") BAD_JSON = JSON.parse('{"proto":{"test":123}}'); console.log("Before"+{}.test) progressbar.utils.extend({},BAD_JSON,{}) console.log("After"+{}.test)
More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf