Vulnerability	Vulnerable Version
H Prototype Pollution rxdb is a RxDB (short for Reactive Database) is a NoSQL-database for JavaScript Applications like Websites, hybrid Apps, Electron-Apps, Progressive Web Apps and NodeJs. Affected versions of this package are vulnerable to Prototype Pollution via the `merge` function within `lib/utils.js`. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. PoC `require('./env').getCollection(function(err, collection) { assert.ifError(err); col = collection; done(); }); var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}'); var m = mquery(payload); console.log({}.polluted); // The empty object {} will have a property called polluted which will print vulnerable` How to fix Prototype Pollution? Upgrade `rxdb` to version 9.11.0 or higher.	<9.11.0

Prototype Pollution

rxdb is a RxDB (short for Reactive Database) is a NoSQL-database for JavaScript Applications like Websites, hybrid Apps, Electron-Apps, Progressive Web Apps and NodeJs.

Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

PoC

   require('./env').getCollection(function(err, collection) {
      assert.ifError(err);
      col = collection;
      done();
    });
    var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
    var m = mquery(payload);
    console.log({}.polluted);
// The empty object {} will have a property called polluted which will print vulnerable

How to fix Prototype Pollution?

Upgrade rxdb to version 9.11.0 or higher.

<9.11.0

Go back to all versions of this package