CVE-2024-32866: Conform contains a Prototype Pollution Vulnerability in `parseWith...` function

April 23, 2024

Conform allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature, an attacker can exploit it to trigger prototype pollution by passing a crafted input to parseWith... functions.

References

github.com/advisories/GHSA-624g-8qjg-8qxf
github.com/edmundhung/conform
github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3de
github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxf
nvd.nist.gov/vuln/detail/CVE-2024-32866

Detect and mitigate CVE-2024-32866 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →