CVE-2021-21414

Name of the Vulnerable Software and Affected Versions @prisma/sdk versions prior to 2.20.0 @prisma/sdk versions prior to 2.20.0-dev.29

Description This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. It only affects the getPackedPackage function, which is not advertised and only used for tests and building the CLI. No malicious code was found after checking the codebase. As of today, there are no known Prisma users or external consumers of the @prisma/sdk package who are affected by this security issue.

Recommendations For @prisma/sdk versions prior to 2.20.0, update to version 2.20.0 or later. For @prisma/sdk versions prior to 2.20.0-dev.29, update to version 2.20.0-dev.29 or later. As a temporary workaround, consider disabling the getPackedPackage function until a patch is available. Avoid using this function with untrusted input to minimize the risk of exploitation.