GHSA-593m-55hh-j8gv – @sentry/browser

Package

Manager: npm
Name: @sentry/browser
Vulnerable Version: >=8.0.0-alpha.1 <8.33.0 || >=0 <7.119.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Sentry SDK Prototype Pollution gadget in JavaScript SDKs ### Impact In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue. > [!NOTE] > This advisory does not indicate the presence of a Prototype Pollution within the Sentry SDK itself. Users are strongly advised to first address any Prototype Pollution vulnerabilities in their application, as they pose a more critical security risk. ### Patches The issue was patched in all Sentry JavaScript SDKs starting from the [8.33.0](https://github.com/getsentry/sentry-javascript/releases/tag/8.33.0) version. Also, the fix was backported to SDK v7 in [7.119.1](https://github.com/getsentry/sentry-javascript/releases/tag/7.119.1). ### References * [Prototype Pollution](https://portswigger.net/web-security/prototype-pollution) * [Prototype Pollution gadgets](https://portswigger.net/web-security/prototype-pollution#prototype-pollution-gadgets) * [sentry-javascript#13838](https://github.com/getsentry/sentry-javascript/pull/13838)

Metadata

Created: 2024-10-03T18:26:53Z
Modified: 2024-10-04T16:32:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-593m-55hh-j8gv/GHSA-593m-55hh-j8gv.json
CWE IDs: ["CWE-913"]
Alternative ID: N/A
Finding: F039
Auto approve: 1