GHSA-2g4c-8fpm-c46v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2g4c-8fpm-c46v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2g4c-8fpm-c46v/GHSA-2g4c-8fpm-c46v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2g4c-8fpm-c46v
- Aliases
- Published
- 2024-03-27T21:57:42Z
- Modified
- 2024-03-27T22:11:44.773394Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- web3-utils Prototype Pollution vulnerability
- Details
-
Impact:
The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object's prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function.
Patches:
It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1.
Workarounds:
None
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-1321" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-03-27T21:57:42Z" }- References
Affected packages
npm / web3-utils
Package
- Name
- web3-utils
- View open source insights on deps.dev
- Purl
- pkg:npm/web3-utils