Fluid Attacks Database

Description

Prototype Pollution in node-forge debug API.

Impact

The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.

Patches

The forge.debug API and related functions were removed in 1.0.0.

Workarounds

Don't use the forge.debug API directly or indirectly with untrusted input.

References

https://www.huntr.dev/bounties/1-npm-node-forge/

For more information

If you have any questions or comments about this advisory:

Open an issue in forge.

Email us at [email protected].

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	node-forge	>=0 <1.0.0	1.0.0

Aliases

1. GHSA-5rrq-pxf6-6jx52. GCVE-GHSA-5rrq-pxf6-6jx5

References

1. https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.