silentmatt
commented
3 years ago Thanks for finding and fixing this! I had it create a pull request (#252) and I'll make sure it gets merged and released soon.
Open yoshino-s opened 3 years ago
silentmatt
commented
3 years ago Thanks for finding and fixing this! I had it create a pull request (#252) and I'll make sure it gets merged and released soon.
yoshino-s
commented
3 years ago Thanks a lot.
yoshino-s
commented
3 years ago By the way, should we submit it to github security advisory and npm advisory, which will automatically alert downstream package and app? And, can we apply for an CVE ID for the vuln, which can help me a lot? Thanks a lot.
yoshino-s
commented
3 years ago any progress here?
motherthestate
commented
2 years ago Any reason why this issue is still open?
willstott101
commented
2 years ago Despite a fix being merged there's been no release yet :(
It would be great if we could cut a 2.0.3 release
I have found a possible prototype pollution vuln in this package. With speficific input attckers can define properties on prototype, which will lead to prototype pollution.
Also I have made a tiny fix to prevent acccess prototype, which may fix this vuln.
https://github.com/418sec/expr-eval/pull/1
Should we accept the pr or write some alert to users to do not use untrusted input?