Advisories for Npm/Deobfuscator package

2023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Synchrony deobfuscator is a javascript cleaner & deobfuscator. A proto pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A proto pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify properties in the Object prototype. A fix has been released in deobfuscator@2.4.4. Users are advised to upgrade. Users unable to upgrade should launch node with the [–disable-proto=delete][disable-proto] or [–disable-proto=throw][disable-proto] flags