Name of the Vulnerable Software and Affected Versions jsii versions <=5.7.2 jsii versions <=5.6.3 jsii versions <=5.5.14 jsii versions <=5.4.45

Description The issue concerns prototype pollution that may occur when untrusted user input is passed to the jsii.configureCategories() function in applications that load jsii as a library. This can lead to the addition of a field named "category" with a user-controlled value to the JavaScript Object prototype, affecting every object in the program. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include the use of the jsii.configureCategories() function with user input that can be crafted to add a field named "category" to the JavaScript Object prototype. The proto property can be used to achieve this. For example, calling jsii.configureCategories(JSON.parse('{" proto ": "user-input"}')) can add the "category" field to the prototype.

Recommendations For versions <=5.7.2, update to version 5.7.3 or later. For versions <=5.6.3, update to version 5.6.4 or later. For versions <=5.5.14, update to version 5.5.15 or later. For versions <=5.4.45, update to version 5.4.46 or later. As a temporary workaround, sanitize user input to configureCategories() by stripping the proto property if detected.