Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Prototype Pollution vulnerability (CVE-2023-26102) [security] #482

Merged
merged 1 commit into from
Nov 2, 2024

Conversation

JordiVM
Copy link
Contributor

@JordiVM JordiVM commented Apr 6, 2023

fixes #481

Rangy was flagged with Prototype Pollution vulnerability at the end of 2022. This PR proposes a solution by skipping the problematic object attributes in rangy.util.extend()

@marcbachmann
Copy link

@timdown feel free to add me as maintainer here and on npm if you don't have the time to maintain this module.
Then we can at least get the security issues fixed.

Copy link

@varunzxzx varunzxzx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please publish this fix!!

@antonh-ne
Copy link

antonh-ne commented Aug 23, 2023

suggestion:

People aware of this vulnerability can patch it themselves for now, until a fix has been merged.

FL3XX-dev pushed a commit to FL3XX-dev/rangy that referenced this pull request Nov 2, 2023
@Talendar
Copy link

@timdown, please, merge the fix and accept new maintainers.

@dkachurynets
Copy link

can you merge it?

@timdown timdown merged commit 3ff18f9 into timdown:master Nov 2, 2024
@timdown
Copy link
Owner

timdown commented Nov 2, 2024

@timdown feel free to add me as maintainer here and on npm if you don't have the time to maintain this module. Then we can at least get the security issues fixed.

I started a discussion.

@rmoehn
Copy link

rmoehn commented Nov 5, 2024

@marcbachmann, @Talendar, I suggest being less gung-ho about adding maintainers to projects: https://www.theverge.com/2024/4/2/24119342/xz-utils-linux-backdoor-attempt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE problems exist
8 participants