CVE-2022-37266 – steal

Package

Manager: npm
Name: steal
Vulnerable Version: >=0 <=2.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00137 pctl0.34261

Details

steal vulnerable to Prototype Pollution via key variable in babel.js Prototype pollution vulnerability in function extend in babel.js in stealjs steal via the key variable in babel.js.

Metadata

Created: 2022-09-16T00:00:39Z
Modified: 2022-09-21T21:08:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-vwhq-pm3r-fjm9/GHSA-vwhq-pm3r-fjm9.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-vwhq-pm3r-fjm9
Finding: F390
Auto approve: 1