GMS-2022-68: Duplicate of ./npm/node-forge/CVE-2020-7720.yml

January 8, 2022

Impact

forge.util.setPath had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.

Patches

The forge.util.setPath API and related functions were removed in 0.10.0.

Workarounds

Don’t call forge.util.setPath directly or indirectly with untrusted keys.

References

https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720

For more information

If you have any questions or comments about this advisory:

Open an issue in forge.
Email us at support@digitalbazaar.com.

References

github.com/advisories/GHSA-wxgw-qj99-44c2
github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2

Detect and mitigate GMS-2022-68 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →