GHSA-67mq-h2r9-rh2m

Source

https://github.com/advisories/GHSA-67mq-h2r9-rh2m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-67mq-h2r9-rh2m/GHSA-67mq-h2r9-rh2m.json

Aliases

CVE-2020-28460
SNYK-JS-MULTIINI-1053229

Published

2021-04-13T15:23:41Z

Modified

2023-11-08T04:03:27.198840Z

Details

This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-28460
https://github.com/evangelion1204/multi-ini/commit/6b2212b2ce152c19538a2431415f72942c5a1bde
https://snyk.io/vuln/SNYK-JS-MULTIINI-1053229

Affected packages

npm / multi-ini

Package

Name: multi-ini

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.1.2