CVE-2023-26102: rangy vulnerable to Prototype Pollution

February 24, 2023 (updated November 7, 2023)

All versions of the package rangy is vulnerable to Prototype Pollution when using the extend() function in file rangy-core.js. The function uses recursive merge which can lead an attacker to modify properties of the Object.prototype

References

github.com/advisories/GHSA-65rp-mhqf-8gj3
github.com/timdown/rangy/issues/478
nvd.nist.gov/vuln/detail/CVE-2023-26102
security.snyk.io/vuln/SNYK-JS-RANGY-3175702

Detect and mitigate CVE-2023-26102 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →