CVE-2024-21505 – web3-utils

Package

Manager: npm
Name: web3-utils
Vulnerable Version: >=4.0.1 <4.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00062 pctl0.19432

Details

web3-utils Prototype Pollution vulnerability ### Impact: The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the ability to modify an object's prototype, which could result in changing the behavior of all objects that inherit from the impacted prototype by providing carefully crafted input to function. ### Patches: It has been fixed in web3-utils version 4.2.1 so all packages and apps depending on web3-utils >=4.0.1 and <=4.2.0 should upgrade to web3-utils 4.2.1. ### Workarounds: None

Metadata

Created: 2024-03-27T21:57:42Z
Modified: 2024-03-27T21:57:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-2g4c-8fpm-c46v/GHSA-2g4c-8fpm-c46v.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-2g4c-8fpm-c46v
Finding: F390
Auto approve: 1