PT-2022-24020 · Mishoo+1 · Uglify-Js+1
Ciarancolgan
·
Published
2022-10-20
·
Updated
2024-08-03
·
CVE-2022-37598
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
mishoo UglifyJS version 3.13.2
Description
The issue is related to a prototype pollution vulnerability in the function DEFNODE in ast.js, specifically via the
name variable. This vulnerability is present in mishoo UglifyJS. The vendor has considered this report as invalid.Recommendations
For mishoo UglifyJS version 3.13.2, consider restricting access to the
DEFNODE function in ast.js to minimize the risk of exploitation. As a temporary workaround, consider disabling the DEFNODE function until a patch is available or further guidance is provided by the vendor. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Uglify-Js