ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Any updates on fixing this vulnerability? Updating uglify-js in the pug-filters repo might solve this issue (but I have not confirmed that this is the case).
Pug Version: 2.0.4
Node Version: 10.16.3
Dependency Hierarchy:
pug-2.0.4.tgz (Root Library) ...pug-filters-3.1.1.tgz .......uglify-js-2.8.29.tgz ............yargs-3.10.0.tgz .................cliui-2.1.0.tgz ........................center-align-0.1.3.tgz ..............................align-text-0.1.4.tgz ................................... kind-of-3.2.2.tgz (Vulnerable Library)
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Source: https://nvd.nist.gov/vuln/detail/CVE-2019-20149
Publish Date: 2019-12-30
Additional Comments
Check out https://github.com/jonschlinkert/kind-of/pull/31