Plattform
nodejs
Komponente
set-value
Behoben in
2.0.2
2.0.1
CVE-2019-10747 describes a Prototype Pollution vulnerability affecting versions of set-value prior to 3.0.1 or 2.0.1. This vulnerability allows attackers to modify the prototype of the JavaScript Object class, potentially leading to unexpected behavior and security compromises. Affected versions include those before 2.0.1 and 3.0.1, and a fix is available in versions 2.0.1 and 3.0.1.
Prototype Pollution is a dangerous vulnerability that allows attackers to inject properties into the Object.prototype. Since all JavaScript objects inherit from Object.prototype, any modifications made to it will affect all objects in the application. An attacker could leverage this to add malicious properties, overwrite existing ones, or even inject code that executes when an object is accessed. This can lead to denial of service, information disclosure, or even remote code execution, depending on the application's logic and how it uses objects. The impact is widespread, as nearly all JavaScript applications rely on object manipulation.
This vulnerability is considered highly exploitable due to its ease of exploitation and potential impact. Public proof-of-concept (PoC) code is readily available, demonstrating how to pollute the prototype. While active exploitation campaigns are not widely reported, the simplicity of the exploit makes it a likely target for opportunistic attackers. The vulnerability was publicly disclosed on August 27, 2019. It is not currently listed on the CISA KEV catalog.
Applications built on Node.js that utilize the set-value package are at risk. This includes web applications, backend services, and command-line tools. Projects using older versions of set-value and those that do not perform adequate input validation are particularly vulnerable.
• nodejs / server:
npm list set-value• nodejs / server:
npm audit set-value• nodejs / server:
grep -r 'Object.prototype.' /path/to/your/app• generic web: Inspect application logs for unusual object property modifications or unexpected behavior related to object creation.
disclosure
Exploit-Status
EPSS
0.50% (66% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-10747 is to upgrade to a patched version of set-value. Upgrade to version 3.0.1 or later if using 3.x, or to version 2.0.1 or later if using 2.x. If upgrading is not immediately feasible, consider implementing input validation to prevent attackers from injecting malicious property names. While not a complete solution, this can reduce the attack surface. Review your application's code for any instances where set-value is used to modify object properties and ensure that the values being set are properly sanitized. After upgrading, confirm the fix by attempting to pollute the prototype and verifying that the operation fails.
Aktualisieren Sie die set-value-Abhängigkeit auf Version 3.0.1 oder höher. Dies behebt die Prototype Pollution-Schwachstelle. Führen Sie `npm install set-value@latest` oder `yarn upgrade set-value@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-10747 is a CRITICAL Prototype Pollution vulnerability in set-value versions before 2.0.1 or 3.0.1, allowing attackers to modify the Object prototype and impact all objects.
You are affected if you are using set-value versions prior to 2.0.1 or 3.0.1. Check your project dependencies to determine if you are vulnerable.
Upgrade to set-value version 2.0.1 or 3.0.1 or later. If immediate upgrade isn't possible, implement input validation.
While no specific campaigns are confirmed, Prototype Pollution vulnerabilities are high-risk and public exploits exist, so vigilance is advised.
Refer to the set-value project's repository and related security advisories for detailed information: https://github.com/yahoo/set-value
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.