Description

This affects the package @tsed/core before 5.65.7. This vulnerability relates to the deepExtend function which is used as part of the utils directory. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

Remediation

References

https://github.com/TypedProject/tsed/blob/production/packages/core/src/utils/deepExtends.ts%23L36

https://github.com/TypedProject/tsed/commit/1395773ddac35926cf058fc6da9fb8e82266761b

https://snyk.io/vuln/SNYK-JS-TSEDCORE-1019382

Related Vulnerabilities

CVE-2021-43571 Vulnerability in npm package starkbank-ecdsa

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.13

CVE-2022-25869 Vulnerability in npm package angular

CVE-2022-42468 Vulnerability in maven package org.apache.flume.flume-ng-sources:flume-jms-source

CVE-2019-12741 Vulnerability in maven package ca.uhn.hapi.fhir:hapi-fhir-testpage-overlay

Severity

Critical

Classification

CWE-1321 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Broken Link Patch Third Party Advisory Exploit