Gửi #856013: Node.js @svgdotjs/svg.js 3.2.5 Prototype Pollutionthông tin

tiêu đềNode.js @svgdotjs/svg.js 3.2.5 Prototype Pollution
Mô tả@svgdotjs/svg.js version 3.2.5 is affected by a prototype pollution vulnerability in the public EventTarget.on() event registration API. The event string is split into an event name and namespace and then stored in an internal object bag without rejecting prototype-related keys. When an attacker-controlled event name or namespace contains __proto__, the write can traverse ordinary JavaScript prototype access and create properties on Object.prototype. An attacker who can influence event names passed to EventTarget.on() may be able to inject inherited properties into newly created objects. Depending on how the application later uses plain objects, this may lead to logic corruption, denial of service, unsafe inherited-property checks, or application-specific security impact.
Nguồn⚠️ https://github.com/svgdotjs/svg.js/issues/1343
Người dùng
 wjm1 (UID 98929)
Đệ trình11/06/2026 13:51 (cách đây 1 tháng)
Kiểm duyệt14/07/2026 07:01 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB378244 [svgdotjs svg.js đến 3.2.5 npm Package API svgdotjs/svg.js EventTarget.on nâng cao đặc quyền]
điểm20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!