rxdb@8.0.0-beta.5 vulnerabilities

A local-first realtime NoSQL Database for JavaScript applications - https://rxdb.info/

  • latest version

    15.39.0

  • latest non vulnerable version

  • first published

    8 years ago

  • latest version published

    24 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the rxdb package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    rxdb is a RxDB (short for Reactive Database) is a NoSQL-database for JavaScript Applications like Websites, hybrid Apps, Electron-Apps, Progressive Web Apps and NodeJs.

    Affected versions of this package are vulnerable to Prototype Pollution via the merge function within lib/utils.js. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

    PoC

       require('./env').getCollection(function(err, collection) {
          assert.ifError(err);
          col = collection;
          done();
        });
        var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable"}}');
        var m = mquery(payload);
        console.log({}.polluted);
    // The empty object {} will have a property called polluted which will print vulnerable
    

    How to fix Prototype Pollution?

    Upgrade rxdb to version 9.11.0 or higher.

    <9.11.0