GHSA-fwr7-v2mv-hh25

Source

https://github.com/advisories/GHSA-fwr7-v2mv-hh25

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-fwr7-v2mv-hh25/GHSA-fwr7-v2mv-hh25.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fwr7-v2mv-hh25

Aliases

CVE-2021-43138

Published

2022-04-07T00:00:17Z

Modified

2024-06-24T21:23:09Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Prototype Pollution in async

Details

A vulnerability exists in Async through 3.2.1 for 3.x and through 2.6.3 for 2.x (fixed in 3.2.2 and 2.6.4), which could let a malicious user obtain privileges via the mapValues() method.

References

Affected packages

npm / async

Package

Name: async; View open source insights on deps.dev
Purl: pkg:npm/async

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.2.2

npm / async

Package

Name: async; View open source insights on deps.dev
Purl: pkg:npm/async

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.6.4