CVE-2023-45811

Name of the Vulnerable Software and Affected Versions Synchrony deobfuscator versions prior to 2.4.4

Description A proto pollution vulnerability exists in the LiteralMap transformer, allowing crafted input to modify properties in the Object prototype. Successful exploitation could lead to arbitrary code execution. The vulnerability is caused by defining a parser property on proto with a path to a JS module on disk, which can lead to arbitrary code execution when executing in Node.js.

Recommendations For versions prior to 2.4.4, upgrade to deobfuscator@2.4.4 to fix the issue. As a temporary workaround, consider launching node with the [--disable-proto=delete] or [--disable-proto=throw] flags to minimize the risk of exploitation. Restrict access to the LiteralMap transformer to prevent crafted input from modifying properties in the Object prototype. Avoid using the parser property on proto in the affected API endpoint until the issue is resolved.