Node.js applications open to prototype pollution attacks via legacy function in popular encryption library

[silversurfer]

Content source

https://portswigger.net/daily-swig/node-js-applications-open-to-prototype-pollution-attacks-via-legacy-function-in-popular-encryption-library

A carryover function in the popular node-forge JavaScript library contains a vulnerability that could allow attackers to carry out prototype pollution attacks against applications, according to an advisory on GitHub.

Node-forge, used by more than 3.5 million repositories, implements various cryptography utilities, the TLS protocol, and tools for developing web applications.

Prototype pollution is a dangerous bug that allows attackers to manipulate the behavior of an application by modifying its code at runtime. It is usually carried out through malicious input, and depending on the vulnerable components, can lead to a range of attacks, including denial of service or even remote code execution.

Read more: Node.js applications open to prototype pollution attacks via legacy function in popular encryption library