Advisories for Npm/Deobfuscator package

2023

Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution

A proto pollution vulnerability exists in the [LiteralMap] transformer allowing crafted input to modify properties in the Object prototype. When executing in Node.js, due to use of the prettier module, defining a parser property on proto with a path to a JS module on disk [causes a require of the value][prettier/src/main/parser.js] which can lead to arbitrary code execution.