Vdata1

**Name of the Vulnerable Software and Affected Versions** Swiper versions 6.5.1 through 12.1.1 **Description** Swiper is a free and mobile touch slider with hardware accelerated transitions and native behavior. A prototype pollution issue exists in the `shared/utils.mjs` file, specifically at line 94, where the `indexOf()` function is used to validate user-provided input. Despite a prior attempt to address prototype pollution by checking for forbidden keys, it remains possible to pollute `Object.prototype` using a crafted input leveraging `Array.prototype`. This issue impacts Windows and Linux systems, as well as Node and Bun runtimes. Applications processing attacker-controlled input with this package may be susceptible to Authentication Bypass, Denial of Service, and Remote Code Execution (RCE). **Recommendations** Update to version 12.1.2 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** set-in versions 2.0.1 through 2.0.4 **Description** set-in is a Node.js package that sets values within nested associative structures given an array of keys. A flaw exists where, despite a previous attempt to prevent prototype pollution by checking for forbidden keys, it remains possible to pollute `Object.prototype` using a crafted input leveraging `Array.prototype`. The issue resides in the `includes()` function used to validate user input. A proof-of-concept demonstrates bypassing the intended protection by redefining `Array.prototype.includes` to always return false, allowing the injection of a property named `polluted` into `Object.prototype`. This could potentially lead to authentication bypass, denial of service, or remote code execution if the polluted property is passed to vulnerable sinks. **Recommendations** set-in versions 2.0.1 through 2.0.4 should be updated to version 2.0.5.

**Name of the Vulnerable Software and Affected Versions** Locutus versions 2.0.12 through 2.0.38 **Description** Locutus, designed to bring standard libraries from other programming languages to JavaScript for educational purposes, contains a prototype pollution issue. A previous attempt to address prototype pollution by checking for forbidden keys in user input was insufficient. It remains possible to pollute `Object.prototype` through a crafted input utilizing `String.prototype`. This allows for malicious property injection, potentially leading to further compromise. **Recommendations** Upgrade to version 2.0.39.

**Name of the Vulnerable Software and Affected Versions** deephas version 1.0.7 deephas versions prior to 1.0.8 **Description** A prototype pollution issue exists in the deephas npm package. This allows an attacker to modify global object behavior by injecting properties into Object.prototype. The issue resides in the `add()` function and `indexer()` function within `deepHas.js`. The vulnerability can be bypassed by manipulating `Object.prototype.hasOwnProperty` or `String.prototype.indexOf`. Exploitation can lead to authentication bypass, denial of service, and potentially remote code execution if polluted properties are passed to vulnerable sinks. **Recommendations** deephas versions prior to 1.0.8 should be updated to version 1.0.8 or later.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 2.6.0 **Description** Deno is a JavaScript, TypeScript, and WebAssembly runtime. A flaw in the `node:crypto` polyfill allows cryptographic handles to persist beyond their intended lifespan. This results in the possibility of infinite encryption rounds, potentially enabling attackers to attempt brute-force attacks or learn server secrets. The issue stems from the `node:crypto` module not finalizing ciphers correctly. **Recommendations** Upgrade to Deno version 2.6.0 or newer.

**Name of the Vulnerable Software and Affected Versions** isolated-vm versions prior to 4.0.0 **Description** The isolated-vm library for Node.js has API pitfalls that may expose supposed secure isolates to the permissions of the main Node.js isolate. `Reference` objects allow access to the underlying reference's full prototype chain, potentially enabling attackers to acquire a `Reference` to the Node.js context's `Function` object. Similar attacks could be possible by modifying the local prototype of other API objects. Access to `NativeModule` objects could allow an attacker to load and run native code from anywhere on the filesystem, potentially leading to arbitrary code execution if combined with a file upload API. **Recommendations** For versions prior to 4.0.0, update to version 4.0.0 or later, which includes changes such as updated documentation, modified `Reference` instances to not follow prototype chains by default, immutable `isolated-vm` API prototypes, and restrictions on invoking the `NativeModule` constructor.