Plataforma
javascript
Componente
web-audio-recorder-js
Corregido en
0.1.1
0.1.2
A prototype pollution vulnerability has been identified in web-audio-recorder-js versions 0.1 through 0.1.1. This flaw allows attackers to manipulate object prototype attributes, potentially leading to unexpected application behavior and security compromises. The vulnerability resides within the extend function in lib/WebAudioRecorder.js. A public exploit is available, highlighting the potential for immediate exploitation.
Prototype pollution occurs when an attacker can modify the prototype of built-in JavaScript objects or user-defined constructor functions. In this case, manipulating the prototype of WebAudioRecorder.js could allow an attacker to inject malicious properties or override existing ones, potentially leading to denial-of-service, information disclosure, or even remote code execution depending on how the application utilizes the modified prototype. The availability of a public exploit significantly increases the risk, as it lowers the barrier to entry for attackers. The complexity of the attack is considered difficult, but the public availability of the exploit mitigates this concern.
This vulnerability is publicly known and has a corresponding public proof-of-concept. The vulnerability was disclosed on 2026-02-23. The vendor was contacted but did not respond. The EPSS score is likely medium due to the public exploit and lack of vendor response, indicating a moderate probability of exploitation.
Web applications utilizing the web-audio-recorder-js library in versions 0.1 through 0.1.1 are at risk. This includes applications that directly incorporate the library into their codebase or rely on it through a package manager. Projects using older versions of Node.js or JavaScript runtimes that may have less robust prototype protection mechanisms are also at increased risk.
• javascript / web:
// Check for modifications to Object.prototype
Object.prototype.hasOwnProperty.call(Object.prototype, '$$injectedProperty');• javascript / web:
// Monitor for unusual property access patterns in WebAudioRecorder.js
console.log(WebAudioRecorder.someProperty); // Check if unexpected properties exist• javascript / web:
// Inspect the prototype chain of WebAudioRecorder objects
console.log(Object.getPrototypeOf(new WebAudioRecorder()));disclosure
Estado del Exploit
EPSS
0.05% (15% percentil)
CISA SSVC
Vector CVSS
The primary mitigation is to upgrade to a patched version of web-audio-recorder-js. As no fixed version is currently available, consider removing or disabling the web-audio-recorder-js component if possible. If removal is not feasible, implement strict input validation on any data used by the extend function to prevent malicious input from reaching the prototype. Monitor application logs for unusual behavior or unexpected property modifications. Consider using a Web Application Firewall (WAF) to filter requests that attempt to manipulate object prototypes.
Actualizar la biblioteca web-audio-recorder-js a una versión corregida que mitigue la vulnerabilidad de prototype pollution. Si no hay una versión corregida disponible, considerar reemplazar la biblioteca o implementar medidas de seguridad adicionales para evitar la manipulación de la configuración dinámica.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-2964 is a medium-severity prototype pollution vulnerability affecting web-audio-recorder-js versions 0.1–0.1.1, allowing attackers to manipulate object prototypes and potentially compromise application behavior.
You are affected if your web application uses web-audio-recorder-js versions 0.1 or 0.1.1. Check your project dependencies to confirm.
Upgrade to a patched version of web-audio-recorder-js. As no patch is available, remove or disable the component and implement strict input validation.
A public exploit exists, indicating a potential for active exploitation. Monitor your application and logs for suspicious activity.
As of this writing, no official advisory has been released by the vendor. Refer to the CVE details and security blogs for updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.