CVE-2022-0108: Prototype Pollution in node-forge
Plattform
chrome
Komponente
google-chrome
Behoben in
97.0.4692.71
CVE-2022-0108 identifies a prototype pollution vulnerability within the node-forge library, specifically affecting versions prior to 1.0.0. This issue stems from the forge.debug API, which was intended for internal debugging purposes and not designed to handle untrusted input. While the API's usage was limited and considered safe, exploitation is possible if it's inadvertently exposed to external data.
Auswirkungen und Angriffsszenarienwird übersetzt…
A successful prototype pollution attack could allow an attacker to modify the prototype of JavaScript objects, potentially leading to unexpected behavior or denial of service. While the forge.debug API was not publicly documented or advertised, its misuse with untrusted input could corrupt internal data structures within applications relying on node-forge. The impact is considered low due to the limited usage and intended purpose of the API, but any modification of prototypes can have unpredictable consequences, especially in complex applications. This vulnerability highlights the importance of carefully controlling access to internal APIs and validating all external input.
Ausnutzungskontextwird übersetzt…
This vulnerability was reported through Huntr.dev and published on 2022-01-08. The CVSS score is LOW (2.5). There are no known public exploits or active campaigns targeting this vulnerability. The low CVSS score and limited exposure of the forge.debug API suggest a low probability of exploitation in the wild.
Bedrohungsanalyse
Exploit-Status
EPSS
0.33% (56% Perzentil)
Betroffene Software
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2022-0108 is to upgrade to version 1.0.0 of node-forge, which removes the vulnerable forge.debug API. If upgrading is not immediately feasible, avoid using the forge.debug API directly or indirectly with any untrusted input. Thoroughly review your application's code to identify any instances where the API might be called with external data. Consider implementing input validation and sanitization to prevent malicious data from reaching the API, although this is not a substitute for upgrading.
So behebenwird übersetzt…
Actualice Google Chrome a la versión 97.0.4692.71 o superior. La actualización se puede realizar a través de la configuración del navegador o descargando la última versión desde el sitio web oficial de Google Chrome.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2022-0108 — Prototype Pollution in node-forge?
CVE-2022-0108 is a LOW severity vulnerability in node-forge versions before 1.0.0. It involves a prototype pollution issue in the internal forge.debug API, potentially allowing attackers to modify object prototypes with untrusted input.
Am I affected by CVE-2022-0108 in node-forge?
You are affected if you are using node-forge versions 0.10.0 or earlier and your application uses the forge.debug API with untrusted input. Upgrade to 1.0.0 to resolve this.
How do I fix CVE-2022-0108 in node-forge?
Upgrade to node-forge version 1.0.0 or later. This version removes the vulnerable forge.debug API. Avoid using the API with untrusted input if upgrading is not immediately possible.
Is CVE-2022-0108 being actively exploited?
Currently, there are no known public exploits or active campaigns targeting CVE-2022-0108. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official node-forge advisory for CVE-2022-0108?
You can find information about this vulnerability and the fix on the Huntr.dev bounty page: https://www.huntr.dev/bounties/1-npm-node-forge/
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein beliebiges Manifest hoch (composer.lock, package-lock.json, WordPress-Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/E-Mail-Benachrichtigungen, mehrere Projekte und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...