Best way to submit a security issue?

vadimpronin / guacamole-lite

Node.js library for creating Guacamole-compatible servers. Guacamole is a RDP/VNC/SSH/Telnet client for HTML5 browsers.

Apache License 2.0

250 stars 78 forks source link

Best way to submit a security issue? #37

Closed dejanzelic closed 2 years ago

dejanzelic commented 3 years ago

What would be the best way for me to submit a security issue? I'd prefer to send it privately instead of a GitHub issue if possible.

landoncolburn commented 2 years ago

Was this ever resolved?

dejanzelic commented 2 years ago

It was. The issue is that the deep-extend package was using a version vulnerable to prototype pollution. In October of 2021 (version 0.7.0) it was bumped to the latest. Prototype pollution is not always exploitable, but in this situation it was if client options can be provided by the user. This means that the old version which used deep-extend 0.4.2 was vulnerable to remote code execution (again, in certain circumstances).