Homepage
About Snyk

Prototype Pollution Affecting appwrite/server-ce package, versions >=0.12.0, <0.12.2 <0.11.1

0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 1.15% (85th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-APPWRITESERVERCE-2401820
  • published 16 Feb 2022
  • disclosed 24 Jan 2022
  • credit Alessio Della Libera of Snyk Research Team
Report a new vulnerability Found a mistake?

Introduced: 24 Jan 2022

CVE-2021-23682 Open this link in a new tab
CWE-1321 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade appwrite/server-ce to version 0.12.2, 0.11.1 or higher.

Overview

appwrite/server-ce is an End to end backend server for frontend and mobile apps.

Affected versions of this package are vulnerable to Prototype Pollution. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution vulnerability.

PoC

  1. add the following query string ?__proto__[polluted]=yes

  2. open the browser developer console. The property polluted has value yes