Prototype pollution vulnerability in function DEFNODE

suraj_k · 26 October 2022 06:15

There is an issue in my node package "uglify-js": "3.16.3" Prototype pollution vulnerability in function DEFNODE in ast.js in mishoo UglifyJS via the name variable in ast.js. You can see more on this link here

zenofmud · 26 October 2022 09:57

How is this related to Node-RED?
If it is connected to a NR node, it would help if you identified the node and provided information such as
Node-RED version
node.js version
npm version
platform you are running on
OS you are using and version

knolleary · 26 October 2022 10:01

If this is related to the core of node-red, then reporting any possible security issue via the public forum is not the way to do it.

Our responsible disclosure policy is documented here: node-red/SECURITY.md at master · node-red/node-red · GitHub

Steve-Mcl · 26 October 2022 11:06

FWIW, uglify is not used / never loaded into memory.

The Dependency (should probably be removed) : node-red/package.json at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub

Only reference: node-red/registry.js at 946def022fa94e9998d5c6095838841a1c94e2da · node-red/node-red · GitHub

system · 25 December 2022 11:07

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
4 high severity vulnerabilities while installing node-red@2.2.2 && 2.1.4 General	3	388	11 July 2022
Npm audit reports a vulnerability General	6	144	11 June 2023
:tada: nrlint 1.1.0 released News	6	645	26 September 2022
[UPDATE] node-red-contrib-components v0.3.2 Share Your Nodes	4	536	16 December 2021
Node-RED 0.20.3 released News	0	742	20 March 2019

Prototype pollution vulnerability in function DEFNODE

Related Topics