CVE-2023-45811: Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
(updated )
A __proto__
pollution vulnerability exists in the [LiteralMap] transformer allowing crafted input to modify properties in the Object prototype.
When executing in Node.js, due to use of the prettier
module, defining a parser
property on __proto__
with a path to a JS module on disk [causes a require
of the value][prettier/src/main/parser.js] which can lead to arbitrary code execution.
References
- github.com/advisories/GHSA-jg82-xh3w-rhxx
- github.com/relative/synchrony
- github.com/relative/synchrony/commit/b583126be94c4db7c5a478f1c5204bfb4162cf40
- github.com/relative/synchrony/security/advisories/GHSA-jg82-xh3w-rhxx
- github.com/relative/synchrony/security/advisories/src/transformers/literalmap.ts
- nvd.nist.gov/vuln/detail/CVE-2023-45811
Code Behaviors & Features
Detect and mitigate CVE-2023-45811 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →