scim-patch@0.9.0

SCIM Patch operation (rfc7644).

  • latest version

    0.9.2

  • latest non vulnerable version

  • first published

    6 years ago

  • latest version published

    21 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the scim-patch package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    scim-patch is a SCIM Patch operation (rfc7644).

    Affected versions of this package are vulnerable to Prototype Pollution via the scimPatch function. An attacker can modify the Object.prototype by supplying specially crafted keys in a patch operation, which can lead to privilege escalation, logic bypass, or denial of service by injecting properties into all plain objects within the Node.js process. This can be exploited by sending a malicious SCIM PATCH request containing keys such as __proto__ or constructor.prototype in the JSON body. This is only exploitable if the service processes attacker-controlled JSON input through the SCIM PATCH endpoint.

    How to fix Prototype Pollution?

    Upgrade scim-patch to version 0.9.1 or higher.

    <0.9.1