CVE Vulnerability

CVE-2022-37598

** DISPUTED ** Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS 3.13.2 via the name variable in ast.js. NOTE: the vendor considers this an invalid report.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/mishoo/UglifyJS/issues/5699 Issue Tracking Third Party Advisory
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L46 Exploit Third Party Advisory
https://github.com/mishoo/UglifyJS/blob/352a944868b09c9ce3121a49d4a0bf0afe370a35/lib/ast.js#L79 Exploit Third Party Advisory
https://github.com/mishoo/UglifyJS/issues/5721#issuecomment-1292849604 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:uglifyjs_project:uglifyjs:3.13.2:*:*:*:*:node.js:*:*
Information

Published : 2022-10-20 11:15

Updated : 2022-12-02 11:00

NVD link : CVE-2022-37598

Mitre link : CVE-2022-37598

Products Affected
No products.
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')