Prisma is an open source ORM for Node.js & TypeScript. As of today, we are not aware of any Prisma users or external consumers of the @prisma/sdk package who are affected by this security vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function and this function is not advertised and only used for tests & building our CLI, no malicious code was found after checking our codebase.
{
"cpe": "cpe:2.3:a:prisma:prisma:*:*:*:*:*:node.js:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.20.0"
}
],
"source": "CPE_RANGE"
}