CVE-2021-32736
Prototype Pollution in think-helper
Description
### Impact The software receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. ### Patches `[email protected]` patched it, anyone used `think-helper` should upgrade to `>=1.1.3` version. ### References https://cwe.mitre.org/data/definitions/1321.html ### For more information If you have any questions or comments about this advisory: * Open an issue in [thinkjs/thinkjs](https://github.com/thinkjs/thinkjs) * Email us at [[email protected]](mailto:[email protected])
How to fix CVE-2021-32736
To remediate CVE-2021-32736, upgrade the affected package to a fixed version below.
- —upgrade to 1.1.3 or later
Is CVE-2021-32736 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.1.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |