VYPR
← All advisories
High severityNVD Advisory· Published Nov 24, 2023· Updated Aug 2, 2024

Prototype Pollution in robinbuschmann/sequelize-typescript

CVE-2023-6293

Description

Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sequelize-typescriptnpm
< 2.1.62.1.6

Affected products

1

Patches

1
5ce8afdd1671

fix: deny modifying the object prototype (#1698)

https://github.com/robinbuschmann/sequelize-typescriptRik SmaleNov 24, 2023via ghsa
commit
2 files changed · +13 1
  • src/shared/object.ts+4 1 modified
    @@ -14,7 +14,10 @@ export function deepAssign<T, S>(target: T, source: S): T & S;
 export function deepAssign<S>(target: {}, source: S): S;
 export function deepAssign(target: any, ...sources: any[]): any {
   sources.forEach((source) => {
-    Object.getOwnPropertyNames(source).forEach((key) => assign(key, target, source));
+    Object.getOwnPropertyNames(source).forEach(
+      (key) =>
+        !['__proto__', 'constructor', 'prototype'].includes(key) && assign(key, target, source)
+    );
     /* istanbul ignore next */
     if (Object.getOwnPropertySymbols) {
       Object.getOwnPropertySymbols(source).forEach((key) => assign(key, target, source));
  • test/specs/utils/object.spec.ts+9 0 modified
    @@ -1,5 +1,6 @@
 import { expect } from 'chai';
 import { deepAssign } from '../../../src/shared/object';
+import { addScopeOptions } from '../../../src/scopes/scope-service';
 
 describe('utils', () => {
   describe('object', () => {
@@ -109,6 +110,14 @@ describe('utils', () => {
         expect(copy.test).to.have.property('protoFn').that.is.a('function');
       });
 
+      it('ignore prototype property', () => {
+        const BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
+        const empty_scope = {};
+
+        addScopeOptions(empty_scope, BAD_JSON);
+        expect(empty_scope).not.to.have.property('polluted');
+      });
+
       if (Object.getOwnPropertySymbols) {
         it('should copy symbol based objects', () => {
           const symbol = Symbol('test');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.