PT-2022-23898 · Stealjs · Stealjs
Secdevlpr26
·
Published
2022-09-15
·
Updated
2022-09-19
·
CVE-2022-37257
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
stealjs steal version 2.2.4
Description
The issue is related to a prototype pollution vulnerability in the
convertLater function in npm-convert.js. This vulnerability is exploited via the requestedVersion variable in npm-convert.js.Recommendations
For stealjs steal version 2.2.4, consider disabling the
convertLater function as a temporary workaround until a patch is available. Restrict access to the npm-convert.js file to minimize the risk of exploitation. Avoid using the requestedVersion variable in the affected convertLater function until the issue is resolved.Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Stealjs