Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerability: Prototype polution #1854

Closed
peppertech opened this issue Apr 11, 2024 · 9 comments · Fixed by #1856
Closed

Security Vulnerability: Prototype polution #1854

peppertech opened this issue Apr 11, 2024 · 9 comments · Fixed by #1856

Comments

@peppertech
Copy link

Are there any chances of getting a security fix that addresses this recently filed issue? https://security.snyk.io/vuln/SNYK-JS-REQUIREJS-5416713

There isn't a CVE posted for this yet, as it was just published last week. It is already showing up on multiple security scans however.
@jrburke
Copy link
Member

jrburke commented Apr 11, 2024

No plans to address that report, this project is not under active development.

@d-haber
Copy link

d-haber commented Jul 11, 2024
edited
Loading

There is now a high severity CVE posted:
https://nvd.nist.gov/vuln/detail/CVE-2024-38999
There is also now a high severity vulnerability published by github:
GHSA-x3m3-4wpv-5vgc

Please consider fixing this.
Thank you.

@gestj gestj mentioned this issue Jul 11, 2024
Closed
@jrburke jrburke mentioned this issue Jul 16, 2024
Merged
jrburke added a commit to requirejs/r.js that referenced this issue Jul 16, 2024
@jrburke
Fixes requirejs/requirejs#1854, pollution
ecc356a
@jrburke
Copy link
Member

jrburke commented Jul 16, 2024

@d-haber, @peppertech, anyone else: if #1856 looks like a fix, then I can spin out a 2.3.7 version hopefully before next Monday.

jrburke added a commit that referenced this issue Jul 20, 2024
@jrburke
Merge pull request #1856 from requirejs/jr/1854-pollution
6e8a234 
Fixes #1854, prototype pollution
jrburke added a commit to requirejs/r.js that referenced this issue Jul 20, 2024
@jrburke
Merge pull request #1016 from requirejs/jr/1854-pollution
152f450 
Fixes requirejs/requirejs#1854, pollution
@peppertech
Copy link
Author

Thank you very much @jrburke really appreciate this update.

@jrburke
Copy link
Member

jrburke commented Jul 21, 2024

I updated npm and the web site with 2.3.7.

prantlf pushed a commit to prantlf/r.js that referenced this issue Jul 22, 2024
@jrburke @prantlf
Fixes requirejs/requirejs#1854, pollution
da8c9f8 
Merge the previous `denyProps` fix (3e9eb74) with `disallowedProps`,
which apply to any call to `eachProps`.
@d-haber
Copy link

d-haber commented Jul 22, 2024

Thank you @jrburke!

@jrburke jrburke mentioned this issue Jul 22, 2024
Closed
@BlazingWizard BlazingWizard mentioned this issue Jul 25, 2024
Merged
@AbhishekGarg
Copy link

Hello,
There was another high severity CVE posted on the same day:
https://nvd.nist.gov/vuln/detail/CVE-2024-38998

@jrburke Can this please be considered for fixing as well?
Thank you.

@jrburke
Copy link
Member

jrburke commented Nov 15, 2024

That one sounds like rephrasing of the same issue that was fixed in 2.3.7. If not, it would be good to have more specifics on how 2.3.7 has the problem.

@AbhishekGarg
Copy link

Thanks for taking a look.
I am not sure why it was reported as a separate vulnerability, but it does get fixed with the same version (2.3.7), at least in the mend (whitesource) scan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #1854, prototype pollution requirejs/requirejs
4 participants
@jrburke @peppertech @d-haber @AbhishekGarg