Skip to content

Commit f03bdf0

Browse files
Merge pull request #7603 from TheeCryptoChad/patch-GHSA-jjff-q3q4-5hh8
2 parents 3af475f + 981bba2 commit f03bdf0

1 file changed

Lines changed: 61 additions & 59 deletions

File tree

Lines changed: 61 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -1,64 +1,66 @@
11
{
2-
"schema_version": "1.4.0",
3-
"id": "GHSA-jjff-q3q4-5hh8",
4-
"modified": "2024-04-18T16:58:17Z",
5-
"published": "2024-04-18T15:30:49Z",
6-
"aliases": [
7-
"CVE-2024-30564"
8-
],
9-
"summary": "@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability",
10-
"details": "An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method.",
11-
"severity": [],
12-
"affected": [
13-
{
14-
"package": {
15-
"ecosystem": "npm",
16-
"name": "@andrei-tatar/nora-firebase-common"
17-
},
18-
"ranges": [
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jjff-q3q4-5hh8",
4+
"modified": "2026-05-06T00:00:00Z",
5+
"published": "2024-04-01T00:00:00Z",
6+
"aliases": [
7+
"CVE-2024-30564"
8+
],
9+
"summary": "@andrei-tatar/nora-firebase-common - CVE-2024-30564",
10+
"details": "A prototype pollution vulnerability exists in `@andrei-tatar/nora-firebase-common` between versions 1.0.41 and 1.12.2. A remote attacker can send a crafted payload that manipulates the `__proto__` property of JavaScript objects, injecting arbitrary properties onto `Object.prototype`. This affects all objects in the runtime and can lead to privilege escalation, remote code execution, or application logic bypass depending on how prototype properties are consumed downstream.\n\nThe vulnerability stems from insufficient key sanitization when merging or processing untrusted input objects. Version 1.12.3 addresses the issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
1918
{
20-
"type": "ECOSYSTEM",
21-
"events": [
22-
{
23-
"introduced": "1.0.41"
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@andrei-tatar/nora-firebase-common"
2422
},
25-
{
26-
"fixed": "1.12.3"
27-
}
28-
]
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "1.0.41"
29+
},
30+
{
31+
"fixed": "1.12.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30564"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://www.npmjs.com/package/@andrei-tatar/nora-firebase-common"
2946
}
30-
]
31-
}
32-
],
33-
"references": [
34-
{
35-
"type": "ADVISORY",
36-
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30564"
37-
},
38-
{
39-
"type": "WEB",
40-
"url": "https://github.com/andrei-tatar/nora-firebase-common/issues/9"
41-
},
42-
{
43-
"type": "WEB",
44-
"url": "https://github.com/andrei-tatar/nora-firebase-common/commit/bf30b75d51be04f6c1f884561a223226c890f01b"
45-
},
46-
{
47-
"type": "WEB",
48-
"url": "https://gist.github.com/mestrtee/5dc2c948c2057f98d3de0a9790903c6c"
49-
},
50-
{
51-
"type": "PACKAGE",
52-
"url": "https://github.com/andrei-tatar/nora-firebase-common"
53-
}
54-
],
55-
"database_specific": {
56-
"cwe_ids": [
57-
"CWE-1321"
5847
],
59-
"severity": "HIGH",
60-
"github_reviewed": true,
61-
"github_reviewed_at": "2024-04-18T16:58:17Z",
62-
"nvd_published_at": "2024-04-18T15:15:30Z"
63-
}
64-
}
48+
"credits": [
49+
{
50+
"name": "Cutter Bruce",
51+
"contact": [
52+
"https://github.com/TheeCryptoChad"
53+
],
54+
"type": "ANALYST"
55+
}
56+
],
57+
"database_specific": {
58+
"cwe_ids": [
59+
"CWE-1321"
60+
],
61+
"severity": "CRITICAL",
62+
"github_reviewed": true,
63+
"github_reviewed_at": "2024-01-01T00:00:00Z",
64+
"nvd_published_at": "2024-04-01T00:00:00Z"
65+
}
66+
}

0 commit comments

Comments
 (0)