Low severityNVD Advisory· Published Apr 28, 2023· Updated Jan 30, 2025

@aedart/support possibly vulnerable to prototype pollution in metadata record, when using meta decorator

CVE-2023-30857

Description

@aedart/support is the support package for Ion, a monorepo for JavaScript/TypeScript packages. Prior to version 0.6.1, there is a possible prototype pollution issue for the MetadataRecord, when merged with a base class' metadata object, in meta decorator from the @aedart/support package. The likelihood of exploitation is questionable, given that a class's metadata can only be set or altered when the class is decorated via meta(). Furthermore, object(s) of sensitive nature would have to be stored as metadata, before this can lead to a security impact. The issue has been patched in version 0.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype pollution in @aedart/support's meta decorator before 0.6.1, via unsafe metadata record creation, patched in 0.6.1.

A prototype pollution vulnerability exists in the @aedart/support package (Ion monorepo) prior to version 0.6.1. The issue occurs in the meta() decorator when resolving a metadata record for a class: the function used an empty plain object {} to initialize the record, which inherits from Object.prototype. When merging with a base class’s metadata, this could allow an attacker to pollute the prototype chain [1][3].

Exploitation requires that the attacker can control or influence the metadata being merged, which in practice only happens when decorating a class with meta(). The vulnerability is not easily triggered by remote attackers without prior access to modify class decorators or metadata objects. Furthermore, the impact depends on storing sensitive objects as metadata, which is an unconventional use [1][3].

The fix, introduced in commit c3e2ee0, replaces {} with Object.create(null), creating an object with a null prototype and eliminating the prototype pollution vector [4]. The patch is included in version 0.6.1. Users should upgrade to at least this version [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@aedart/supportnpm	< 0.6.1	0.6.1

Affected products

aedart/@aedart/supportllm-create
Range: <0.6.1
Mediatek/ionllm-fuzzy
Range: <0.6.1
ghsa-coords
pkg:npm/%40aedart/support
Range: < 0.6.1
aedart/ionv5
Range: < 0.6.1

Patches

c3e2ee08710d

Fix possible prototype pollution

https://github.com/aedart/ionAlin Eugen DeacApr 28, 2023via ghsa

commit

1 file changed · +1 −1

packages/support/src/meta/meta.ts+1 −1 modified

@@ -217,7 +217,7 @@ function resolveMetadataRecord(owner: object, context: Context, useMetaFromConte
     }
 
     // Obtain record from registry, or create new empty object.
-    let metadata: MetadataRecord = registry.get(owner) ?? {};
+    let metadata: MetadataRecord = registry.get(owner) ?? Object.create(null);
 
     // In case that the owner has Symbol.metadata defined (e.g. from base class),
     // then merge it current metadata. This ensures that inheritance works as

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wwxh-74fx-33c6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-30857ghsaADVISORY
github.com/aedart/ion/commit/c3e2ee08710d4164d796ecb66ed291335dae9291ghsax_refsource_MISCWEB
github.com/aedart/ion/security/advisories/GHSA-wwxh-74fx-33c6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000