GHSA-q849-wxrc-vqrp: hull.js Code Injection Vulnerability

December 2, 2024

Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of new Function(...) in the module that handles points format. Applications passing the 3rd parameter to the hull function without sanitising may be impacted. The vulnerability has been fixed in version 1.0.10, please update the library. Check project homepage on GitHub to see how to fetch the latest version: https://github.com/andriiheonia/hull?tab=readme-ov-file#npm-package

References

github.com/AndriiHeonia/hull
github.com/AndriiHeonia/hull/commit/9de6f9549b74fbb68bf4d5a449147b4c1d7cda0a
github.com/AndriiHeonia/hull/security/advisories/GHSA-q849-wxrc-vqrp
github.com/advisories/GHSA-q849-wxrc-vqrp

Code Behaviors & Features

Detect and mitigate GHSA-q849-wxrc-vqrp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →