Plattform
javascript
Komponente
web-audio-recorder-js
Behoben in
0.1.1
0.1.2
A prototype pollution vulnerability has been identified in web-audio-recorder-js versions 0.1 through 0.1.1. This flaw allows attackers to manipulate object prototype attributes, potentially leading to unexpected application behavior and security compromises. The vulnerability resides within the extend function in lib/WebAudioRecorder.js. A public exploit is available, highlighting the potential for immediate exploitation.
Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects or user-defined constructor functions. In this case, manipulating the prototype of WebAudioRecorder.js could allow an attacker to inject malicious properties or override existing ones, potentially leading to denial-of-service, information disclosure, or even remote code execution depending on how the application utilizes the modified prototype. The availability of a public exploit significantly increases the risk, as it lowers the barrier to entry for attackers. The complexity of the attack is considered difficult, but the public availability of the exploit mitigates this concern.
This vulnerability is publicly known and has a corresponding public proof-of-concept. The vulnerability was disclosed on 2026-02-23. The vendor was contacted but did not respond. The EPSS score is likely medium due to the public exploit and lack of vendor response, indicating a moderate probability of exploitation.
Web applications utilizing the web-audio-recorder-js library in versions 0.1 through 0.1.1 are at risk. This includes applications that directly incorporate the library into their codebase or rely on it through a package manager. Projects using older versions of Node.js or JavaScript runtimes that may have less robust prototype protection mechanisms are also at increased risk.
• javascript / web:
// Check for modifications to Object.prototype
Object.prototype.hasOwnProperty.call(Object.prototype, '$$injectedProperty');• javascript / web:
// Monitor for unusual property access patterns in WebAudioRecorder.js
console.log(WebAudioRecorder.someProperty); // Check if unexpected properties exist• javascript / web:
// Inspect the prototype chain of WebAudioRecorder objects
console.log(Object.getPrototypeOf(new WebAudioRecorder()));disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to a patched version of web-audio-recorder-js. As no fixed version is currently available, consider removing or disabling the web-audio-recorder-js component if possible. If removal is not feasible, implement strict input validation on any data used by the extend function to prevent malicious input from reaching the prototype. Monitor application logs for unusual behavior or unexpected property modifications. Consider using a Web Application Firewall (WAF) to filter requests that attempt to manipulate object prototypes.
Aktualisieren Sie die Bibliothek web-audio-recorder-js auf eine korrigierte Version, die die Prototype-Pollution-Schwachstelle mindert. Wenn keine korrigierte Version verfügbar ist, sollten Sie die Bibliothek ersetzen oder zusätzliche Sicherheitsmaßnahmen implementieren, um die Manipulation der dynamischen Konfiguration zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2964 is a medium-severity prototype pollution vulnerability affecting web-audio-recorder-js versions 0.1–0.1.1, allowing attackers to manipulate object prototypes and potentially compromise application behavior.
You are affected if your web application uses web-audio-recorder-js versions 0.1 or 0.1.1. Check your project dependencies to confirm.
Upgrade to a patched version of web-audio-recorder-js. As no patch is available, remove or disable the component and implement strict input validation.
A public exploit exists, indicating a potential for active exploitation. Monitor your application and logs for suspicious activity.
As of this writing, no official advisory has been released by the vendor. Refer to the CVE details and security blogs for updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.