CVE-2022-37623
Description
Prototype pollution in browserify-shim's resolveShims allows attackers to inject arbitrary properties into Object.prototype via the shimPath variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in browserify-shim's resolveShims allows attackers to inject arbitrary properties into Object.prototype via the shimPath variable.
Vulnerability
Overview
The vulnerability resides in the resolveShims function within resolve-shims.js of the browserify-shim package (version 3.8.15). The function fails to properly sanitize the shimPath variable, allowing an attacker to inject properties into the global Object.prototype through a technique known as prototype pollution [2][4].
Exploitation
An attacker can exploit this flaw by crafting a malicious shimPath value that includes prototype properties like __proto__ or constructor.prototype. The vulnerable function processes this path without validation, enabling the pollution of the base object prototype. No authentication is required if the attacker can supply input to the shimPath parameter, which may occur when processing untrusted configuration files or user-supplied data [1][2].
Impact
Once the prototype is polluted, all objects in the application inherit the attacker-controlled properties. This can lead to unexpected behavior, denial of service, or further exploitation such as arbitrary code execution if the polluted properties affect security-sensitive operations. The impact is especially significant in browserify bundles that process untrusted configuration [1].
Mitigation
The project maintainers have addressed this vulnerability in commit 97855e622b6dcd117c77e6583701962ff45e7338, which prevents prototype manipulation by properly sanitizing the shimPath variable [3]. Users should update to a patched version, or if unavailable, manually apply the fix or avoid processing untrusted input with vulnerable versions.
- GitHub - thlorenz/browserify-shim: 📩 Makes CommonJS incompatible files browserifyable.
- NVD - CVE-2022-37623
- resolve-shims: prevent prototype manipulation (#246) · thlorenz/browserify-shim@97855e6
- browserify-shim/lib/resolve-shims.js at 464b32bbe142664cd9796059798f6c738ea3de8f · thlorenz/browserify-shim
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
browserify-shimnpm | < 3.8.16 | 3.8.16 |
Affected products
2- thlorenz/browserify-shimdescription
Patches
197855e622b6dresolve-shims: prevent prototype manipulation (#246)
1 file changed · +5 −0
lib/resolve-shims.js+5 −0 modified@@ -123,6 +123,11 @@ function separateExposeGlobals(shims) { , exposeGlobals = {}; Object.keys(shims).forEach(function (k) { + // https://github.com/thlorenz/browserify-shim/issues/245 + if (k === '__proto__' || k === 'constructor') { + return; + } + var val = shims[k] , exp = val && val.exports;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-cfgr-75jx-h88gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37623ghsaADVISORY
- github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.jsghsaWEB
- github.com/thlorenz/browserify-shim/blob/464b32bbe142664cd9796059798f6c738ea3de8f/lib/resolve-shims.jsghsaWEB
- github.com/thlorenz/browserify-shim/commit/97855e622b6dcd117c77e6583701962ff45e7338ghsaWEB
- github.com/thlorenz/browserify-shim/issues/248ghsaWEB
- github.com/thlorenz/browserify-shim/pull/246ghsaWEB
News mentions
0No linked articles in our index yet.