derby@0.5.4 vulnerabilities

MVC framework making it easy to write realtime, collaborative applications that run in both Node.js and browsers.

  • latest version

    4.2.3

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    1 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the derby package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Improper Input Validation

    Affected versions of this package are vulnerable to Improper Input Validation due to the this.lastSegment variable in the emit function not being sanitized. An attacker can manipulate the this.lastSegment variable to set it to __proto__, leading to prototype pollution.

    Notes:

    1)If the application author has atypical HTML templates that feed user input into an object key.

    1. Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most applications.

    How to fix Improper Input Validation?

    Upgrade derby to version 2.3.2, 3.0.2, 4.0.0-beta.11 or higher.

    <2.3.2>=3.0.0 <3.0.2>=4.0.0-beta.2 <4.0.0-beta.11