Closed po6ix closed 4 years ago
Thanks for reporting this. Fix has been applied and published to NPM: https://github.com/richardgirges/express-fileupload/releases/tag/1.1.8
@richardgirges The fix can be bypassed. Instead of referencing __proto__.toString
, one can reference constructor.prototype.toString
.
Thanks @securityMB - it has been fixed and a second deprecation notice has been posted on NPM for all prior versions.
https://www.bleepingcomputer.com/news/security/nodejs-module-downloaded-7m-times-lets-hackers-inject-code/ They just announced in the news about this today.. yet you claim to have fixed it 5 days ago.. love how far the news is behind on this.. thanks for the quick fix of this issue! Someone should contact the news folks..
Thanks for the heads up on this @naraphox
This module has prototype pollution vulnerablity and it can make DOS with parseNested option.
server
exploit
raw packet
Full description is in here https://blog.p6.is/Real-World-JS-1/