icu-minify 0.0.0-canary-c22cb45

Direct Vulnerabilities

Known vulnerabilities in the icu-minify package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution icu-minify is an ICU message format compiler with a <1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution via the `formatSelect` function. An attacker can cause the application to crash and trigger a server error by supplying specially crafted input that matches keys on `Object.prototype`, such as `toString`, `__proto__`, or `constructor`, which leads to a TypeError when the downstream process attempts to iterate over a non-iterable value. Note: This is only exploitable when `precompile = true`. How to fix Prototype Pollution? Upgrade `icu-minify` to version 4.9.2 or higher.	<4.9.2
M Prototype Pollution icu-minify is an ICU message format compiler with a <1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution in the `setNestedProperty` function when processing translation catalog keys containing reserved properties such as `__proto__`, `constructor`, or `prototype`. An attacker can inject malicious properties into `Object.prototype`, impacting all objects created during the build process, by supplying a crafted JSON translation catalog with attacker-controlled keys. Note: This is only exploitable if the application is configured with both `experimental.messages` and `messages.precompile: true`. How to fix Prototype Pollution? Upgrade `icu-minify` to version 4.9.2 or higher.	<4.9.2

Vulnerability

Vulnerable Version

Prototype Pollution

icu-minify is an ICU message format compiler with a <1KB runtime bundle footprint

Affected versions of this package are vulnerable to Prototype Pollution via the formatSelect function. An attacker can cause the application to crash and trigger a server error by supplying specially crafted input that matches keys on Object.prototype, such as toString, __proto__, or constructor, which leads to a TypeError when the downstream process attempts to iterate over a non-iterable value.

Note: This is only exploitable when precompile = true.

How to fix Prototype Pollution?

Upgrade icu-minify to version 4.9.2 or higher.

<4.9.2

Prototype Pollution

icu-minify is an ICU message format compiler with a <1KB runtime bundle footprint

Affected versions of this package are vulnerable to Prototype Pollution in the setNestedProperty function when processing translation catalog keys containing reserved properties such as __proto__, constructor, or prototype. An attacker can inject malicious properties into Object.prototype, impacting all objects created during the build process, by supplying a crafted JSON translation catalog with attacker-controlled keys.

Note: This is only exploitable if the application is configured with both experimental.messages and messages.precompile: true.

How to fix Prototype Pollution?

Upgrade icu-minify to version 4.9.2 or higher.

<4.9.2

icu-minify@0.0.0-canary-c22cb45

ICU message format compiler with a <1KB runtime bundle footprint

latest version

latest non vulnerable version

first published

latest version published

Direct Vulnerabilities

Fix vulnerabilities automatically