CVE-2022-0108: Prototype Pollution in node-forge
平台
chrome
组件
google-chrome
修复版本
97.0.4692.71
CVE-2022-0108 identifies a prototype pollution vulnerability within the node-forge library, specifically affecting versions prior to 1.0.0. This issue stems from the forge.debug API, which was intended for internal debugging purposes and not designed to handle untrusted input. While the API's usage was limited and considered safe, exploitation is possible if it's inadvertently exposed to external data.
影响与攻击场景翻译中…
A successful prototype pollution attack could allow an attacker to modify the prototype of JavaScript objects, potentially leading to unexpected behavior or denial of service. While the forge.debug API was not publicly documented or advertised, its misuse with untrusted input could corrupt internal data structures within applications relying on node-forge. The impact is considered low due to the limited usage and intended purpose of the API, but any modification of prototypes can have unpredictable consequences, especially in complex applications. This vulnerability highlights the importance of carefully controlling access to internal APIs and validating all external input.
利用背景翻译中…
This vulnerability was reported through Huntr.dev and published on 2022-01-08. The CVSS score is LOW (2.5). There are no known public exploits or active campaigns targeting this vulnerability. The low CVSS score and limited exposure of the forge.debug API suggest a low probability of exploitation in the wild.
威胁情报
漏洞利用状态
EPSS
0.33% (56% 百分位)
受影响的软件
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2022-0108 is to upgrade to version 1.0.0 of node-forge, which removes the vulnerable forge.debug API. If upgrading is not immediately feasible, avoid using the forge.debug API directly or indirectly with any untrusted input. Thoroughly review your application's code to identify any instances where the API might be called with external data. Consider implementing input validation and sanitization to prevent malicious data from reaching the API, although this is not a substitute for upgrading.
修复方法翻译中…
Actualice Google Chrome a la versión 97.0.4692.71 o superior. La actualización se puede realizar a través de la configuración del navegador o descargando la última versión desde el sitio web oficial de Google Chrome.
常见问题翻译中…
What is CVE-2022-0108 — Prototype Pollution in node-forge?
CVE-2022-0108 is a LOW severity vulnerability in node-forge versions before 1.0.0. It involves a prototype pollution issue in the internal forge.debug API, potentially allowing attackers to modify object prototypes with untrusted input.
Am I affected by CVE-2022-0108 in node-forge?
You are affected if you are using node-forge versions 0.10.0 or earlier and your application uses the forge.debug API with untrusted input. Upgrade to 1.0.0 to resolve this.
How do I fix CVE-2022-0108 in node-forge?
Upgrade to node-forge version 1.0.0 or later. This version removes the vulnerable forge.debug API. Avoid using the API with untrusted input if upgrading is not immediately possible.
Is CVE-2022-0108 being actively exploited?
Currently, there are no known public exploits or active campaigns targeting CVE-2022-0108. However, it's crucial to apply the fix to prevent potential future exploitation.
Where can I find the official node-forge advisory for CVE-2022-0108?
You can find information about this vulnerability and the fix on the Huntr.dev bounty page: https://www.huntr.dev/bounties/1-npm-node-forge/
立即试用 — 无需账户
上传任意清单文件(composer.lock、package-lock.json、WordPress插件列表等)或粘贴组件列表,即可立即获得漏洞报告。上传文件只是开始:注册账号后,您将获得持续监控、Slack/邮件提醒、多项目管理和白标报告等功能。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...