Platform
nodejs
Component
set-value
Opgelost in
2.0.2
2.0.1
CVE-2019-10747 describes a Prototype Pollution vulnerability affecting versions of set-value prior to 3.0.1 or 2.0.1. This vulnerability allows attackers to modify the prototype of the JavaScript Object class, potentially leading to unexpected behavior and security compromises. Affected versions include those before 2.0.1 and 3.0.1, and a fix is available in versions 2.0.1 and 3.0.1.
Prototype Pollution is a dangerous vulnerability because it allows attackers to inject properties into the base Object.prototype. This means any object created subsequently inherits these malicious properties, effectively poisoning the entire object hierarchy within a JavaScript application. An attacker could, for example, add a property to Object.prototype that intercepts sensitive data or modifies the behavior of built-in functions. This can lead to denial of service, information disclosure, or even remote code execution depending on how the application utilizes the polluted prototype. The impact is particularly severe in applications that heavily rely on dynamic object creation or serialization/deserialization, as the pollution can propagate silently and affect a wide range of components.
This vulnerability was publicly disclosed on August 27, 2019. While no active exploitation campaigns have been definitively linked to CVE-2019-10747 specifically, Prototype Pollution vulnerabilities are generally considered high-risk due to their potential for widespread impact. It is not listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which this vulnerability can be triggered.
Applications built on Node.js that utilize the set-value package are at risk. This includes web applications, backend services, and command-line tools. Projects using older versions of set-value and those that do not perform adequate input validation are particularly vulnerable.
• nodejs / server:
npm list set-value• nodejs / server:
npm audit set-value• nodejs / server:
grep -r 'Object.prototype.' /path/to/your/app• generic web: Inspect application logs for unusual object property modifications or unexpected behavior related to object creation.
disclosure
Exploit Status
EPSS
0.50% (66% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-10747 is to upgrade to set-value version 2.0.1 or 3.0.1 or later. If an immediate upgrade is not feasible, consider implementing input validation and sanitization to prevent malicious data from being passed to the set function. While not a complete solution, this can reduce the attack surface. Additionally, consider using a Web Application Firewall (WAF) with rules to detect and block attempts to manipulate the Object.prototype. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual object property modifications in your application's logs is recommended.
Actualice la dependencia set-value a la versión 3.0.1 o superior. Esto corrige la vulnerabilidad de Prototype Pollution. Ejecute `npm install set-value@latest` o `yarn upgrade set-value@latest` para actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-10747 is a CRITICAL Prototype Pollution vulnerability in set-value versions before 2.0.1 or 3.0.1, allowing attackers to modify the Object prototype and impact all objects.
You are affected if you are using set-value versions prior to 2.0.1 or 3.0.1. Check your project dependencies to determine if you are vulnerable.
Upgrade to set-value version 2.0.1 or 3.0.1 or later. If immediate upgrade isn't possible, implement input validation.
While no specific campaigns are confirmed, Prototype Pollution vulnerabilities are high-risk and public exploits exist, so vigilance is advised.
Refer to the set-value project's repository and related security advisories for detailed information: https://github.com/yahoo/set-value
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.