Medium severity6.5GHSA Advisory· Published Feb 5, 2025· Updated Apr 15, 2026
CVE-2024-57082
CVE-2024-57082
Description
Prototype pollution in @rpldy/uploader v1.8.1 allows denial-of-service via crafted payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in @rpldy/uploader v1.8.1 allows denial-of-service via crafted payload.
Vulnerability
Details
The lib.createUploader function in @rpldy/uploader v1.8.1 is vulnerable to prototype pollution. When merging user-supplied objects, the internal merge function did not sanitize keys like __proto__. A crafted payload containing "__proto__" keys could pollute the global object prototype, leading to unexpected behavior and denial-of-service (DoS) conditions [1][2].
Exploitation
Scenario
An attacker can trigger this vulnerability by supplying a malicious JSON payload (e.g., {"__proto__":{"pollutedKey":123}}) to any API or interface that passes user input to lib.createUploader. No special privileges are required; the attack is performed over the network by sending a crafted request. The prototype pollution occurs during the merge operation, which is used internally by the uploader [2].
Impact and
Mitigation
Successful exploitation allows the attacker to set arbitrary properties on Object.prototype. This can cause subsequent operations on the uploader (and other parts of the application) to fail or behave unexpectedly, effectively creating a denial-of-service condition. The vendor has addressed the issue in commit 386e0a8 and released version 1.9.1 as a fix, which includes a test ensuring that __proto__ and similar keys are ignored during merge [2][4]. Users should upgrade to @rpldy/uploader >=1.9.1 to remediate the vulnerability.
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@rpldy/uploadernpm | < 1.9.1 | 1.9.1 |
Affected products
2- Range: < 1.9.1
Patches
1386e0a80c428fix: protect against prototype pollution in Uploady (#821)
12 files changed · +403 −305
cypress/e2e-weights.json+227 −221 modified@@ -1,485 +1,491 @@ { "threads": 3, - "files": 78, - "total": 111, - "passed": 111, + "files": 79, + "total": 118, + "passed": 118, "failed": 0, "sortedFiles": [ { "file": "cypress/integration/uploady/Uploady-autoUpload-off-spec.js", - "duration": 14241, + "duration": 15261, "tests": 7 }, { - "file": "cypress/integration/retry-hooks/RetryHooks-queue-spec.js", - "duration": 11743, - "tests": 3 + "file": "cypress/integration/tus-uploady/TusUploady-parallel-spec.js", + "duration": 13737, + "tests": 4 }, { "file": "cypress/integration/uploady/Uploady-cancel-with-async-presend-spec.js", - "duration": 11681, + "duration": 12875, "tests": 6 }, { "file": "cypress/integration/tus-uploady/TusUploady-resume-event-spec.js", - "duration": 10268, - "tests": 2 + "duration": 11957, + "tests": 3 }, { - "file": "cypress/integration/uploady/Uploady-abort-spec.js", - "duration": 9633, + "file": "cypress/integration/retry-hooks/RetryHooks-queue-spec.js", + "duration": 10572, "tests": 3 }, { - "file": "cypress/integration/uploady/Uploady-fast-abort-spec.js", - "duration": 9628, + "file": "cypress/integration/uploady/Uploady-abort-spec.js", + "duration": 9904, "tests": 3 }, { - "file": "cypress/integration/upload-preview/UploadPreview-crop-spec.js", - "duration": 8126, - "tests": 4 + "file": "cypress/integration/uploady/Uploady-fast-abort-spec.js", + "duration": 8857, + "tests": 3 }, { "file": "cypress/integration/upload-preview/UploadPreview-multi-crop-spec.js", - "duration": 7797, + "duration": 8426, "tests": 2 }, { - "file": "cypress/integration/chunked-uploady/ChunkedUploady-WithChunkEventHooks-spec.js", - "duration": 6680, + "file": "cypress/integration/upload-preview/UploadPreview-crop-spec.js", + "duration": 8343, + "tests": 4 + }, + { + "file": "cypress/integration/tus-uploady/TusUploady-retry-spec.js", + "duration": 7574, "tests": 2 }, { "file": "cypress/integration/chunked-uploady/ChunkedUploady-Abort-spec.js", - "duration": 6020, + "duration": 7024, "tests": 1 }, { - "file": "cypress/integration/mock-sender/MockSender-progress-spec.js", - "duration": 5927, + "file": "cypress/integration/chunked-uploady/ChunkedUploady-WithChunkEventHooks-spec.js", + "duration": 7006, "tests": 2 }, { - "file": "cypress/integration/upload-preview/UploadPreview-removePreview-spec.js", - "duration": 5672, + "file": "cypress/integration/mock-sender/MockSender-progress-spec.js", + "duration": 6280, "tests": 2 }, { - "file": "cypress/integration/tus-uploady/TusUploady-simple-spec.js", - "duration": 4917, - "tests": 1 + "file": "cypress/integration/upload-preview/UploadPreview-removePreview-spec.js", + "duration": 5619, + "tests": 2 }, { "file": "cypress/integration/upload-paste/UploadPaste-simple-spec.js", - "duration": 4348, + "duration": 5485, "tests": 2 }, { - "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-all-spec.js", - "duration": 4285, - "tests": 1 + "file": "cypress/integration/tus-uploady/TusUploady-send-data-spec.js", + "duration": 5320, + "tests": 2 }, { "file": "cypress/integration/chunked-sender/ChunkedSender-Progress-spec.js", - "duration": 4260, + "duration": 4820, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-asButton-spec.js", - "duration": 3931, - "tests": 1 + "file": "cypress/integration/upload-paste/UploadPaste-dropzone-spec.js", + "duration": 4547, + "tests": 2 }, { - "file": "cypress/integration/tus-uploady/TusUploady-send-data-spec.js", - "duration": 3846, + "file": "cypress/integration/uploady/Uploady-cancel-on-add-spec.js", + "duration": 4502, "tests": 1 }, { - "file": "cypress/integration/upload-paste/UploadPaste-element-spec.js", - "duration": 3790, + "file": "cypress/integration/tus-uploady/TusUploady-simple-spec.js", + "duration": 4435, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-cancel-on-add-spec.js", - "duration": 3786, + "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-all-spec.js", + "duration": 4234, "tests": 1 }, { - "file": "cypress/integration/umd/core-ui-chunked-umd-spec.js", - "duration": 3756, - "tests": 1 + "file": "cypress/integration/upload-drop-zone/UploadDropZone-get-files-filter-spec.js", + "duration": 4186, + "tests": 2 }, { - "file": "cypress/integration/tus-uploady/TusUploady-retry-spec.js", - "duration": 3713, + "file": "cypress/integration/upload-paste/UploadPaste-element-spec.js", + "duration": 4048, "tests": 1 }, { - "file": "cypress/integration/umd/core-ui-umd-spec.js", - "duration": 3549, + "file": "cypress/integration/umd/core-umd-spec.js", + "duration": 3932, "tests": 1 }, { - "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-batch-spec.js", - "duration": 3423, + "file": "cypress/integration/umd/all-umd-spec.js", + "duration": 3897, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-get-files-filter-spec.js", - "duration": 3395, - "tests": 2 - }, - { - "file": "cypress/integration/umd/all-umd-spec.js", - "duration": 3360, + "file": "cypress/integration/upload-button/UploadButton-group-spec.js", + "duration": 3866, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-custom-method-spec.js", - "duration": 3277, + "file": "cypress/integration/upload-button/UploadButton-eventHooks-spec.js", + "duration": 3814, "tests": 1 }, { - "file": "cypress/integration/umd/core-umd-spec.js", - "duration": 3252, + "file": "cypress/integration/umd/core-ui-umd-spec.js", + "duration": 3805, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-simple-multiple-spec.js", - "duration": 3139, + "file": "cypress/integration/umd/core-ui-chunked-umd-spec.js", + "duration": 3733, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-custom-success-spec.js", - "duration": 3030, - "tests": 2 + "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-batch-spec.js", + "duration": 3721, + "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-group-spec.js", - "duration": 3021, + "file": "cypress/integration/upload-preview/UploadPreview-custom-method-spec.js", + "duration": 3637, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-invalid-batch-start-spec.js", - "duration": 2969, + "file": "cypress/integration/upload-preview/UploadPreview-crop-form-spec.js", + "duration": 3576, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-undefined-param-spec.js", - "duration": 2915, - "tests": 3 + "file": "cypress/integration/uploady/Uploady-custom-success-spec.js", + "duration": 3567, + "tests": 2 }, { - "file": "cypress/integration/upload-button/UploadButton-progress-spec.js", - "duration": 2893, + "file": "cypress/integration/uploady/Uploady-invalid-batch-start-spec.js", + "duration": 3498, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-disabled-spec.js", - "duration": 2867, + "file": "cypress/integration/tus-uploady/TusUploady-parallel-with-data-spec.js", + "duration": 3470, "tests": 1 }, { "file": "cypress/integration/uploader/Uploader-data-test-spec.js", - "duration": 2858, + "duration": 3451, "tests": 1 }, { - "file": "cypress/integration/uploader/Uploader-recover-from-error-spec.js", - "duration": 2690, - "tests": 1 - }, - { - "file": "cypress/integration/tus-uploady/TusUploady-parallel-spec.js", - "duration": 2673, + "file": "cypress/integration/upload-button/UploadButton-disabled-spec.js", + "duration": 3364, "tests": 1 }, { "file": "cypress/integration/uploady/Uploady-failed-mock-spec.js", - "duration": 2638, + "duration": 3284, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-filesParamName-spec.js", - "duration": 2451, + "file": "cypress/integration/upload-button/UploadButton-simple-multiple-spec.js", + "duration": 3246, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-crop-form-spec.js", - "duration": 2421, + "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-item-spec.js", + "duration": 3152, "tests": 1 }, { - "file": "cypress/integration/chunked-uploady/ChunkedUploady-custom-success-spec.js", - "duration": 2402, + "file": "cypress/integration/upload-button/UploadButton-progress-spec.js", + "duration": 3076, "tests": 1 }, { - "file": "cypress/integration/retry-hooks/RetryHooks-withRetry-item-spec.js", - "duration": 2384, + "file": "cypress/integration/upload-paste/UploadPaste-uploadButton-spec.js", + "duration": 3011, "tests": 1 }, { - "file": "cypress/integration/upload-paste/UploadPaste-uploadButton-spec.js", - "duration": 2361, + "file": "cypress/integration/uploader/Uploader-recover-from-error-spec.js", + "duration": 2902, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-invalid-request-pre-send-spec.js", - "duration": 2332, - "tests": 1 + "file": "cypress/integration/upload-drop-zone/UploadDropZone-3rd-party-spec.js", + "duration": 2849, + "tests": 2 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-dropHandler-spec.js", - "duration": 2315, + "file": "cypress/integration/upload-button/UploadButton-form-spec.js", + "duration": 2777, "tests": 1 }, { "file": "cypress/integration/upload-preview/UploadPreview-clear-spec.js", - "duration": 2294, + "duration": 2768, "tests": 1 }, { - "file": "cypress/integration/upload-paste/UploadPaste-dropzone-spec.js", - "duration": 2209, - "tests": 2 + "file": "cypress/integration/upload-drop-zone/UploadDropZone-dropHandler-spec.js", + "duration": 2734, + "tests": 1 }, { "file": "cypress/integration/upload-button/UploadButton-styled-spec.js", - "duration": 2171, + "duration": 2704, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-simple-fallback-spec.js", - "duration": 2167, + "file": "cypress/integration/upload-button/UploadButton-custom-input-button-spec.js", + "duration": 2698, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-3rd-party-spec.js", - "duration": 2135, - "tests": 2 + "file": "cypress/integration/upload-preview/UploadPreview-simple-multiple-spec.js", + "duration": 2691, + "tests": 1 }, { - "file": "cypress/integration/tus-uploady/TusUploady-parallel-with-data-spec.js", - "duration": 2083, + "file": "cypress/integration/upload-button/UploadButton-asButton-spec.js", + "duration": 2690, "tests": 1 }, { - "file": "cypress/integration/native-uploady/NativeUploady-simple-spec.js", - "duration": 2025, + "file": "cypress/integration/chunked-sender/ChunkedSender-error-spec.js", + "duration": 2564, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-two-fields-spec.js", - "duration": 2014, + "file": "cypress/integration/upload-drop-zone/UploadDropZone-differentConfig-spec.js", + "duration": 2485, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-form-spec.js", - "duration": 1996, + "file": "cypress/integration/uploady/Uploady-undefined-param-spec.js", + "duration": 2464, + "tests": 3 + }, + { + "file": "cypress/integration/upload-button/UploadButton-simple-spec.js", + "duration": 2423, "tests": 1 }, { "file": "cypress/integration/upload-button/UploadButton-differentConfig-spec.js", - "duration": 1987, + "duration": 2406, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-differentConfig-spec.js", - "duration": 1984, + "file": "cypress/integration/chunked-uploady/ChunkedUploady-custom-success-spec.js", + "duration": 2360, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-simple-spec.js", - "duration": 1928, + "file": "cypress/integration/uploady/Uploady-filesParamName-spec.js", + "duration": 2359, "tests": 1 }, { - "file": "cypress/integration/chunked-sender/ChunkedSender-error-spec.js", - "duration": 1913, + "file": "cypress/integration/uploady/Uploady-invalid-request-pre-send-spec.js", + "duration": 2318, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-eventListeners-spec.js", - "duration": 1806, + "file": "cypress/integration/upload-preview/UploadPreview-two-fields-spec.js", + "duration": 2232, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-eventHooks-spec.js", - "duration": 1669, + "file": "cypress/integration/upload-drop-zone/UploadDropZone-simple-spec.js", + "duration": 2144, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-simple-spec.js", - "duration": 1657, - "tests": 2 + "file": "cypress/integration/upload-preview/UploadPreview-simple-fallback-spec.js", + "duration": 2042, + "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-pending-with-options-spec.js", - "duration": 1631, + "file": "cypress/integration/upload-button/UploadButton-eventListeners-spec.js", + "duration": 2033, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-simple-multiple-spec.js", - "duration": 1623, + "file": "cypress/integration/uploader/Uploader-no-prepare-pollute-spec.js", + "duration": 2001, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-simple-spec.js", - "duration": 1618, + "file": "cypress/integration/upload-drop-zone/UploadDropZone-handle-only-files-spec.js", + "duration": 1981, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-handle-only-files-spec.js", - "duration": 1612, + "file": "cypress/integration/uploady/Uploady-simple-spec.js", + "duration": 1952, + "tests": 2 + }, + { + "file": "cypress/integration/upload-preview/UploadPreview-simple-spec.js", + "duration": 1858, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-custom-input-button-spec.js", - "duration": 1469, + "file": "cypress/integration/native-uploady/NativeUploady-simple-spec.js", + "duration": 1792, "tests": 1 }, { "file": "cypress/integration/upload-drop-zone/UploadDropZone-no-handle-spec.js", - "duration": 1460, + "duration": 1764, "tests": 1 }, { - "file": "cypress/integration/upload-paste/UploadPaste-window-spec.js", - "duration": 1382, + "file": "cypress/integration/uploady/Uploady-pending-with-options-spec.js", + "duration": 1664, "tests": 1 }, { - "file": "cypress/integration/upload-button/UploadButton-customInputAndForm-spec.js", - "duration": 1372, + "file": "cypress/integration/uploader/Uploader-proto-pollute-spec.js", + "duration": 1606, "tests": 1 }, { - "file": "cypress/integration/upload-preview/UploadPreview-progress-spec.js", - "duration": 1246, + "file": "cypress/integration/upload-paste/UploadPaste-window-spec.js", + "duration": 1580, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-simple-spec.js", - "duration": 1245, + "file": "cypress/integration/uploady/Uploady-customResponseFormat-spec.js", + "duration": 1561, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-keep-on-child-spec.js", - "duration": 1221, + "file": "cypress/integration/uploady/Uploady-headerFromPreSend-spec.js", + "duration": 1505, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-customResponseFormat-spec.js", - "duration": 1153, + "file": "cypress/integration/upload-button/UploadButton-customInputAndForm-spec.js", + "duration": 1447, "tests": 1 }, { - "file": "cypress/integration/uploader/Uploader-no-prepare-pollute-spec.js", - "duration": 1071, + "file": "cypress/integration/uploady/Uploady-internal-input-spec.js", + "duration": 1442, "tests": 1 }, { - "file": "cypress/integration/upload-drop-zone/UploadDropZone-custom-remove-spec.js", - "duration": 829, + "file": "cypress/integration/upload-preview/UploadPreview-progress-spec.js", + "duration": 1402, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-headerFromPreSend-spec.js", - "duration": 812, + "file": "cypress/integration/upload-drop-zone/UploadDropZone-keep-on-child-spec.js", + "duration": 1044, "tests": 1 }, { - "file": "cypress/integration/uploady/Uploady-internal-input-spec.js", - "duration": 669, + "file": "cypress/integration/upload-drop-zone/UploadDropZone-custom-remove-spec.js", + "duration": 869, "tests": 1 } ], "groups": [ [ "cypress/integration/uploady/Uploady-autoUpload-off-spec.js", "cypress/integration/tus-uploady/TusUploady-resume-event-spec.js", - "cypress/integration/upload-preview/UploadPreview-crop-spec.js", - "cypress/integration/chunked-uploady/ChunkedUploady-Abort-spec.js", - "cypress/integration/tus-uploady/TusUploady-simple-spec.js", - "cypress/integration/chunked-sender/ChunkedSender-Progress-spec.js", - "cypress/integration/upload-paste/UploadPaste-element-spec.js", + "cypress/integration/uploady/Uploady-fast-abort-spec.js", "cypress/integration/tus-uploady/TusUploady-retry-spec.js", + "cypress/integration/mock-sender/MockSender-progress-spec.js", + "cypress/integration/tus-uploady/TusUploady-send-data-spec.js", + "cypress/integration/uploady/Uploady-cancel-on-add-spec.js", "cypress/integration/upload-drop-zone/UploadDropZone-get-files-filter-spec.js", - "cypress/integration/umd/core-umd-spec.js", - "cypress/integration/upload-button/UploadButton-group-spec.js", - "cypress/integration/upload-button/UploadButton-progress-spec.js", - "cypress/integration/uploader/Uploader-recover-from-error-spec.js", - "cypress/integration/uploady/Uploady-filesParamName-spec.js", + "cypress/integration/umd/all-umd-spec.js", + "cypress/integration/umd/core-ui-umd-spec.js", + "cypress/integration/upload-preview/UploadPreview-custom-method-spec.js", + "cypress/integration/uploady/Uploady-invalid-batch-start-spec.js", + "cypress/integration/upload-button/UploadButton-disabled-spec.js", "cypress/integration/retry-hooks/RetryHooks-withRetry-item-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-dropHandler-spec.js", - "cypress/integration/upload-button/UploadButton-styled-spec.js", - "cypress/integration/tus-uploady/TusUploady-parallel-with-data-spec.js", - "cypress/integration/upload-button/UploadButton-form-spec.js", - "cypress/integration/upload-button/UploadButton-simple-spec.js", - "cypress/integration/upload-button/UploadButton-eventHooks-spec.js", - "cypress/integration/upload-preview/UploadPreview-simple-multiple-spec.js", + "cypress/integration/uploader/Uploader-recover-from-error-spec.js", + "cypress/integration/upload-preview/UploadPreview-clear-spec.js", "cypress/integration/upload-button/UploadButton-custom-input-button-spec.js", - "cypress/integration/upload-button/UploadButton-customInputAndForm-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-keep-on-child-spec.js", + "cypress/integration/chunked-sender/ChunkedSender-error-spec.js", + "cypress/integration/upload-button/UploadButton-simple-spec.js", + "cypress/integration/uploady/Uploady-filesParamName-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-simple-spec.js", + "cypress/integration/uploader/Uploader-no-prepare-pollute-spec.js", + "cypress/integration/upload-preview/UploadPreview-simple-spec.js", + "cypress/integration/uploady/Uploady-pending-with-options-spec.js", + "cypress/integration/uploady/Uploady-customResponseFormat-spec.js", + "cypress/integration/uploady/Uploady-internal-input-spec.js", "cypress/integration/upload-drop-zone/UploadDropZone-custom-remove-spec.js" ], [ + "cypress/integration/tus-uploady/TusUploady-parallel-spec.js", "cypress/integration/retry-hooks/RetryHooks-queue-spec.js", - "cypress/integration/uploady/Uploady-abort-spec.js", "cypress/integration/upload-preview/UploadPreview-multi-crop-spec.js", - "cypress/integration/mock-sender/MockSender-progress-spec.js", - "cypress/integration/upload-paste/UploadPaste-simple-spec.js", - "cypress/integration/upload-button/UploadButton-asButton-spec.js", - "cypress/integration/uploady/Uploady-cancel-on-add-spec.js", - "cypress/integration/umd/core-ui-umd-spec.js", - "cypress/integration/umd/all-umd-spec.js", - "cypress/integration/upload-button/UploadButton-simple-multiple-spec.js", - "cypress/integration/uploady/Uploady-invalid-batch-start-spec.js", - "cypress/integration/upload-button/UploadButton-disabled-spec.js", - "cypress/integration/tus-uploady/TusUploady-parallel-spec.js", + "cypress/integration/chunked-uploady/ChunkedUploady-Abort-spec.js", + "cypress/integration/upload-preview/UploadPreview-removePreview-spec.js", + "cypress/integration/chunked-sender/ChunkedSender-Progress-spec.js", + "cypress/integration/tus-uploady/TusUploady-simple-spec.js", + "cypress/integration/upload-paste/UploadPaste-element-spec.js", + "cypress/integration/upload-button/UploadButton-group-spec.js", + "cypress/integration/umd/core-ui-chunked-umd-spec.js", "cypress/integration/upload-preview/UploadPreview-crop-form-spec.js", - "cypress/integration/upload-paste/UploadPaste-uploadButton-spec.js", - "cypress/integration/upload-preview/UploadPreview-clear-spec.js", + "cypress/integration/tus-uploady/TusUploady-parallel-with-data-spec.js", + "cypress/integration/uploady/Uploady-failed-mock-spec.js", + "cypress/integration/upload-button/UploadButton-progress-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-3rd-party-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-dropHandler-spec.js", + "cypress/integration/upload-preview/UploadPreview-simple-multiple-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-differentConfig-spec.js", + "cypress/integration/upload-button/UploadButton-differentConfig-spec.js", + "cypress/integration/uploady/Uploady-invalid-request-pre-send-spec.js", "cypress/integration/upload-preview/UploadPreview-simple-fallback-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-handle-only-files-spec.js", "cypress/integration/native-uploady/NativeUploady-simple-spec.js", - "cypress/integration/upload-button/UploadButton-differentConfig-spec.js", - "cypress/integration/chunked-sender/ChunkedSender-error-spec.js", - "cypress/integration/uploady/Uploady-simple-spec.js", - "cypress/integration/upload-preview/UploadPreview-simple-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-no-handle-spec.js", - "cypress/integration/upload-preview/UploadPreview-progress-spec.js", - "cypress/integration/uploady/Uploady-customResponseFormat-spec.js", - "cypress/integration/uploady/Uploady-headerFromPreSend-spec.js" + "cypress/integration/uploader/Uploader-proto-pollute-spec.js", + "cypress/integration/uploady/Uploady-headerFromPreSend-spec.js", + "cypress/integration/upload-preview/UploadPreview-progress-spec.js" ], [ "cypress/integration/uploady/Uploady-cancel-with-async-presend-spec.js", - "cypress/integration/uploady/Uploady-fast-abort-spec.js", + "cypress/integration/uploady/Uploady-abort-spec.js", + "cypress/integration/upload-preview/UploadPreview-crop-spec.js", "cypress/integration/chunked-uploady/ChunkedUploady-WithChunkEventHooks-spec.js", - "cypress/integration/upload-preview/UploadPreview-removePreview-spec.js", + "cypress/integration/upload-paste/UploadPaste-simple-spec.js", + "cypress/integration/upload-paste/UploadPaste-dropzone-spec.js", "cypress/integration/retry-hooks/RetryHooks-withRetry-all-spec.js", - "cypress/integration/tus-uploady/TusUploady-send-data-spec.js", - "cypress/integration/umd/core-ui-chunked-umd-spec.js", + "cypress/integration/umd/core-umd-spec.js", + "cypress/integration/upload-button/UploadButton-eventHooks-spec.js", "cypress/integration/retry-hooks/RetryHooks-withRetry-batch-spec.js", - "cypress/integration/upload-preview/UploadPreview-custom-method-spec.js", "cypress/integration/uploady/Uploady-custom-success-spec.js", - "cypress/integration/uploady/Uploady-undefined-param-spec.js", "cypress/integration/uploader/Uploader-data-test-spec.js", - "cypress/integration/uploady/Uploady-failed-mock-spec.js", + "cypress/integration/upload-button/UploadButton-simple-multiple-spec.js", + "cypress/integration/upload-paste/UploadPaste-uploadButton-spec.js", + "cypress/integration/upload-button/UploadButton-form-spec.js", + "cypress/integration/upload-button/UploadButton-styled-spec.js", + "cypress/integration/upload-button/UploadButton-asButton-spec.js", + "cypress/integration/uploady/Uploady-undefined-param-spec.js", "cypress/integration/chunked-uploady/ChunkedUploady-custom-success-spec.js", - "cypress/integration/uploady/Uploady-invalid-request-pre-send-spec.js", - "cypress/integration/upload-paste/UploadPaste-dropzone-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-3rd-party-spec.js", "cypress/integration/upload-preview/UploadPreview-two-fields-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-differentConfig-spec.js", "cypress/integration/upload-button/UploadButton-eventListeners-spec.js", - "cypress/integration/uploady/Uploady-pending-with-options-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-handle-only-files-spec.js", + "cypress/integration/uploady/Uploady-simple-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-no-handle-spec.js", "cypress/integration/upload-paste/UploadPaste-window-spec.js", - "cypress/integration/upload-drop-zone/UploadDropZone-simple-spec.js", - "cypress/integration/uploader/Uploader-no-prepare-pollute-spec.js", - "cypress/integration/uploady/Uploady-internal-input-spec.js" + "cypress/integration/upload-button/UploadButton-customInputAndForm-spec.js", + "cypress/integration/upload-drop-zone/UploadDropZone-keep-on-child-spec.js" ] ] }
cypress/integration/uploader/Uploader-proto-pollute-spec.js+34 −0 added@@ -0,0 +1,34 @@ +describe("Uploader - No Prototype Pollution test", () => { + + before(() => { + cy.visitStory("uploader", "test-proto-pollute"); + }); + + it("creating uploader shouldn't cause prototype pollution", () => { + cy.get("#test-info") + .should("exist"); + + cy.waitShort(); + + cy.window() + .then((win) => { + const uploader = win._test_createUploader({ + autoUpload: false, + destination: JSON.parse(`{"__proto__":{"pollutedKey":123}}`) + }); + + expect(uploader).to.exist; + expect({}.pollutedKey).to.be.undefined; + + expect(uploader.getOptions().destination.pollutedKey).to.be.undefined; + + const uploader2 = win._test_createUploader(JSON.parse(`{"__proto__":{"pollutedKey":123}}`)); + + expect(uploader2).to.exist; + expect({}.pollutedKey).to.be.undefined; + + expect(uploader2.getOptions()).to.exist; + expect(uploader.getOptions().pollutedKey).to.be.undefined; + }); + }); +});
package.json+4 −4 modified@@ -86,9 +86,9 @@ "@testing-library/react": "^16.1.0", "@testing-library/user-event": "^14.5.2", "@types/react": "^18.3.14", - "@vitest/coverage-istanbul": "^3.0.4", - "@vitest/coverage-v8": "^3.0.4", - "@vitest/ui": "^3.0.4", + "@vitest/coverage-istanbul": "^3.0.5", + "@vitest/coverage-v8": "^3.0.5", + "@vitest/ui": "^3.0.5", "async": "^3.2.6", "babel-loader": "^9.2.1", "babel-plugin-istanbul": "^7.0.0", @@ -147,7 +147,7 @@ "typescript-eslint": "^8.17.0", "vite": "^6.0.11", "vite-plugin-babel": "^1.3.0", - "vitest": "^3.0.4", + "vitest": "^3.0.5", "wait-on": "^8.0.1", "weak-napi": "^2.0.2", "webpack": "5",
packages/core/sender/src/xhrSender/tests/xhrSender.test.js+10 −3 modified@@ -135,6 +135,16 @@ describe("xhrSender tests", () => { test.xhr.upload.onprogress({}); expect(test.mockProgress).toHaveBeenCalledTimes(1); }); + + it("should avoid prototype pollution", async () => { + const test = doTest(JSON.parse(`{"__proto__":{"pollutedKey":123}}`)); + + test.xhrResolve(); + + await test.sendResult.request; + + expect({}.pollutedKey).toBeUndefined(); + }); }); describe("abort tests", () => { @@ -164,7 +174,6 @@ describe("xhrSender tests", () => { }); describe("json parse tests", () => { - it("should try parse json with forceJsonResponse", async () => { const responseData = { success: true }; @@ -198,7 +207,6 @@ describe("xhrSender tests", () => { }); describe("request error & failure tests", () => { - it("should handle request failure", async () => { const responseData = { failure: true }; @@ -266,7 +274,6 @@ describe("xhrSender tests", () => { }); describe("with custom config", () => { - beforeEach(() => { vi.useFakeTimers(); });
packages/core/shared/src/utils/isPlainObject.js+8 −4 modified@@ -1,8 +1,12 @@ // @flow +const isPlainObject = (obj: Object): boolean => { + const proto = Object.getPrototypeOf(Object(obj)); -const isPlainObject = (obj: mixed): boolean => !!obj && - typeof obj === "object" && - (Object.getPrototypeOf(obj)?.constructor.name === "Object" || - Object.getPrototypeOf(obj) === null); + return !!obj && + typeof obj === "object" && + (proto?.constructor.name === "Object" || proto === null) && + //$FlowExpectedError[method-unbinding] + !Object.prototype.hasOwnProperty.call(obj, "__proto__"); +}; export default isPlainObject;
packages/core/shared/src/utils/merge.js+1 −1 modified@@ -12,7 +12,7 @@ type MergeMethod = (target: Object, ...sources: Array<Object>) => Object; export const isMergeObj = (obj: Object): boolean => isPlainObject(obj) || Array.isArray(obj); const getKeys = (obj: Object, options: MergeOptions) => { - const keys = Object.keys(obj); + const keys = Object.keys(obj).filter((k) => obj.hasOwnProperty(k) && k !== "__proto__"); return options.withSymbols ? keys.concat(Object.getOwnPropertySymbols(obj)) : keys;
packages/core/shared/src/utils/tests/clone.test.js+14 −0 modified@@ -64,4 +64,18 @@ describe("clone (deep) tests", () => { expect(merge).toHaveBeenCalledWith({}, obj); }); + + it("should not allow prototype pollution", () => { + const obj = JSON.parse(`{"__proto__":{"pollutedKey":123}}`); + const clonedObj = clone(obj); + + expect(clonedObj.pollutedKey).toBeUndefined(); + expect({}.pollutedKey).toBeUndefined(); + + const deepWithPollute = JSON.parse(`{"a":{"b":{"__proto__":{"pollutedKey":123}}}}`); + + const deepClonedObj = clone(deepWithPollute); + expect(deepClonedObj.a.b.pollutedKey).toBeUndefined(); + expect({}.pollutedKey).toBeUndefined(); + }); });
packages/core/shared/src/utils/tests/isPlainObject.test.js+1 −0 modified@@ -2,6 +2,7 @@ import isPlainObject from "../isPlainObject"; describe("isPlainObject tests", () => { it.each([ + [false, JSON.parse(`{"__proto__":{"pollutedKey":123}}`)], [false, true], [false, false], [false, 0],
packages/core/shared/src/utils/tests/merge.test.js+21 −10 modified@@ -4,15 +4,13 @@ describe("merge (deep) tests", () => { describe("default merge tests", () => { it("should return target if not sources", () => { - const a = { foo: "bar" }; const result = merge(a); expect(result).toBe(a); }); it("should merge two simple-flat objects", () => { - const a = { foo: "bar", a: 1, @@ -102,7 +100,6 @@ describe("merge (deep) tests", () => { }); it("should merge array from source", () => { - const a = {}; const b = { arr: [1, 2, 3] }; @@ -112,7 +109,6 @@ describe("merge (deep) tests", () => { }); it("should merge multiple levels from multiple objects", () => { - const a = { lll: "aaaa", @@ -191,7 +187,6 @@ describe("merge (deep) tests", () => { }); it("should ignore __proto__", () => { - const a = { a: "b" }; @@ -216,7 +211,6 @@ describe("merge (deep) tests", () => { }); it("should ignore empty sources", () => { - const a = { foo: "bar", }; @@ -232,6 +226,27 @@ describe("merge (deep) tests", () => { test: true, }); }); + + it("should not allow prototype pollution", () => { + const a = {}; + const b = JSON.parse(`{"__proto__":{"pollutedKey":123}}`); + + merge(a, b); + + expect(a.pollutedKey).toBeUndefined(); + expect({}.pollutedKey).toBeUndefined(); + + const c = { + test: true, + foo: JSON.parse(`{"__proto__":{"pollutedKey":123}}`) + }; + + const res = merge({}, c); + + expect(res.pollutedKey).toBeUndefined(); + expect(res.foo.pollutedKey).toBeUndefined(); + expect({}.pollutedKey).toBeUndefined(); + }); }); describe("undefinedOverwrites tests", () => { @@ -250,7 +265,6 @@ describe("merge (deep) tests", () => { }); it("should overwrite with undefined deep", () => { - const a = { lll: "aaaa", @@ -323,7 +337,6 @@ describe("merge (deep) tests", () => { describe("withSymbols tests", () => { it("should merge symbols when withSymbols = true", () => { - const sym1 = Symbol.for("test-sym1"); const sym2 = Symbol.for("test-sym2"); @@ -381,9 +394,7 @@ describe("merge (deep) tests", () => { }); describe("predicate tests", () => { - it("should use predicate", () => { - const obj = { test: { 2: { foo: "bar" },
packages/core/shared/src/utils/tests/pick.test.js+10 −2 modified@@ -1,7 +1,6 @@ import pick from "../pick"; describe("pick tests", () => { - it("should return null for null", () => { expect(pick(null)).toBeNull(); }); @@ -11,7 +10,6 @@ describe("pick tests", () => { }); it("should return requested props", () => { - expect(pick({ foo: "aaa", bar: "bbb", @@ -22,4 +20,14 @@ describe("pick tests", () => { more: { level: 2 } }); }); + + it("should not allow prototype pollution", () => { + const b = JSON.parse(`{"__proto__":{"pollutedKey":123}, "foo": "bar"}`); + + const res = pick(b, ["foo"]); + + expect(res).toEqual({ foo: "bar" }); + expect(res.pollutedKey).toBeUndefined(); + expect({}.pollutedKey).toBeUndefined(); + }); });
packages/core/uploader/Uploader.stories.js+13 −0 modified@@ -207,6 +207,19 @@ export const TEST_EventsData: UploadyStory = createUploadyStory( ); }); +export const TEST_ProtoPollute: UploadyStory = createUploadyStory((): Node => { + useEffect(() => { + window._test_createUploader = createUploader; + }, []); + + return ( + <div> + <h2>Proto Pollution Test</h2> + <p id="test-info">createUploader is available on window._test_createUploader</p> + </div> + ) +}); + export const UMD_Core: UploadyStory = createUploadyStory( ({ destination,
pnpm-lock.yaml+60 −60 modified@@ -106,14 +106,14 @@ importers: specifier: ^18.3.14 version: 18.3.14 '@vitest/coverage-istanbul': - specifier: ^3.0.4 - version: 3.0.4(vitest@3.0.4) + specifier: ^3.0.5 + version: 3.0.5(vitest@3.0.5) '@vitest/coverage-v8': - specifier: ^3.0.4 - version: 3.0.4(vitest@3.0.4) + specifier: ^3.0.5 + version: 3.0.5(vitest@3.0.5) '@vitest/ui': - specifier: ^3.0.4 - version: 3.0.4(vitest@3.0.4) + specifier: ^3.0.5 + version: 3.0.5(vitest@3.0.5) async: specifier: ^3.2.6 version: 3.2.6 @@ -194,7 +194,7 @@ importers: version: 0.11.2(eslint@9.19.0)(typescript@5.7.2) eslint-plugin-vitest: specifier: ^0.5.4 - version: 0.5.4(eslint@9.19.0)(typescript@5.7.2)(vitest@3.0.4) + version: 0.5.4(eslint@9.19.0)(typescript@5.7.2)(vitest@3.0.5) execa: specifier: ^9.5.2 version: 9.5.2 @@ -289,8 +289,8 @@ importers: specifier: ^1.3.0 version: 1.3.0(@babel/core@7.26.0)(vite@6.0.11) vitest: - specifier: ^3.0.4 - version: 3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1) + specifier: ^3.0.5 + version: 3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1) wait-on: specifier: ^8.0.1 version: 8.0.1 @@ -5002,10 +5002,10 @@ packages: eslint-visitor-keys: 4.2.0 dev: true - /@vitest/coverage-istanbul@3.0.4(vitest@3.0.4): - resolution: {integrity: sha512-a+SgPMom0PlRTuDasoucL2V7FDpS8j7p6jpHLNgt3d7oOSWYwtAFVCfZ3iQ+a+cOnh76g4mOftVR5Y9HokB/GQ==} + /@vitest/coverage-istanbul@3.0.5(vitest@3.0.5): + resolution: {integrity: sha512-yTcIwrpLHOyPP28PXXLRv1NzzKCrqDnmT7oVypTa1Q24P6OwGT4Wi6dXNEaJg33vmrPpoe81f31kwB5MtfM+ow==} peerDependencies: - vitest: 3.0.4 + vitest: 3.0.5 dependencies: '@istanbuljs/schema': 0.1.3 debug: 4.4.0(supports-color@8.1.1) @@ -5017,16 +5017,16 @@ packages: magicast: 0.3.5 test-exclude: 7.0.1 tinyrainbow: 2.0.0 - vitest: 3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1) + vitest: 3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1) transitivePeerDependencies: - supports-color dev: true - /@vitest/coverage-v8@3.0.4(vitest@3.0.4): - resolution: {integrity: sha512-f0twgRCHgbs24Dp8cLWagzcObXMcuKtAwgxjJV/nnysPAJJk1JiKu/W0gIehZLmkljhJXU/E0/dmuQzsA/4jhA==} + /@vitest/coverage-v8@3.0.5(vitest@3.0.5): + resolution: {integrity: sha512-zOOWIsj5fHh3jjGwQg+P+J1FW3s4jBu1Zqga0qW60yutsBtqEqNEJKWYh7cYn1yGD+1bdPsPdC/eL4eVK56xMg==} peerDependencies: - '@vitest/browser': 3.0.4 - vitest: 3.0.4 + '@vitest/browser': 3.0.5 + vitest: 3.0.5 peerDependenciesMeta: '@vitest/browser': optional: true @@ -5043,7 +5043,7 @@ packages: std-env: 3.8.0 test-exclude: 7.0.1 tinyrainbow: 2.0.0 - vitest: 3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1) + vitest: 3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1) transitivePeerDependencies: - supports-color dev: true @@ -5057,17 +5057,17 @@ packages: tinyrainbow: 1.2.0 dev: true - /@vitest/expect@3.0.4: - resolution: {integrity: sha512-Nm5kJmYw6P2BxhJPkO3eKKhGYKRsnqJqf+r0yOGRKpEP+bSCBDsjXgiu1/5QFrnPMEgzfC38ZEjvCFgaNBC0Eg==} + /@vitest/expect@3.0.5: + resolution: {integrity: sha512-nNIOqupgZ4v5jWuQx2DSlHLEs7Q4Oh/7AYwNyE+k0UQzG7tSmjPXShUikn1mpNGzYEN2jJbTvLejwShMitovBA==} dependencies: - '@vitest/spy': 3.0.4 - '@vitest/utils': 3.0.4 + '@vitest/spy': 3.0.5 + '@vitest/utils': 3.0.5 chai: 5.1.2 tinyrainbow: 2.0.0 dev: true - /@vitest/mocker@3.0.4(vite@6.0.11): - resolution: {integrity: sha512-gEef35vKafJlfQbnyOXZ0Gcr9IBUsMTyTLXsEQwuyYAerpHqvXhzdBnDFuHLpFqth3F7b6BaFr4qV/Cs1ULx5A==} + /@vitest/mocker@3.0.5(vite@6.0.11): + resolution: {integrity: sha512-CLPNBFBIE7x6aEGbIjaQAX03ZZlBMaWwAjBdMkIf/cAn6xzLTiM3zYqO/WAbieEjsAZir6tO71mzeHZoodThvw==} peerDependencies: msw: ^2.4.9 vite: ^5.0.0 || ^6.0.0 @@ -5077,7 +5077,7 @@ packages: vite: optional: true dependencies: - '@vitest/spy': 3.0.4 + '@vitest/spy': 3.0.5 estree-walker: 3.0.3 magic-string: 0.30.17 vite: 6.0.11(@types/node@22.9.0) @@ -5095,23 +5095,23 @@ packages: tinyrainbow: 1.2.0 dev: true - /@vitest/pretty-format@3.0.4: - resolution: {integrity: sha512-ts0fba+dEhK2aC9PFuZ9LTpULHpY/nd6jhAQ5IMU7Gaj7crPCTdCFfgvXxruRBLFS+MLraicCuFXxISEq8C93g==} + /@vitest/pretty-format@3.0.5: + resolution: {integrity: sha512-CjUtdmpOcm4RVtB+up8r2vVDLR16Mgm/bYdkGFe3Yj/scRfCpbSi2W/BDSDcFK7ohw8UXvjMbOp9H4fByd/cOA==} dependencies: tinyrainbow: 2.0.0 dev: true - /@vitest/runner@3.0.4: - resolution: {integrity: sha512-dKHzTQ7n9sExAcWH/0sh1elVgwc7OJ2lMOBrAm73J7AH6Pf9T12Zh3lNE1TETZaqrWFXtLlx3NVrLRb5hCK+iw==} + /@vitest/runner@3.0.5: + resolution: {integrity: sha512-BAiZFityFexZQi2yN4OX3OkJC6scwRo8EhRB0Z5HIGGgd2q+Nq29LgHU/+ovCtd0fOfXj5ZI6pwdlUmC5bpi8A==} dependencies: - '@vitest/utils': 3.0.4 + '@vitest/utils': 3.0.5 pathe: 2.0.2 dev: true - /@vitest/snapshot@3.0.4: - resolution: {integrity: sha512-+p5knMLwIk7lTQkM3NonZ9zBewzVp9EVkVpvNta0/PlFWpiqLaRcF4+33L1it3uRUCh0BGLOaXPPGEjNKfWb4w==} + /@vitest/snapshot@3.0.5: + resolution: {integrity: sha512-GJPZYcd7v8QNUJ7vRvLDmRwl+a1fGg4T/54lZXe+UOGy47F9yUfE18hRCtXL5aHN/AONu29NGzIXSVFh9K0feA==} dependencies: - '@vitest/pretty-format': 3.0.4 + '@vitest/pretty-format': 3.0.5 magic-string: 0.30.17 pathe: 2.0.2 dev: true @@ -5122,25 +5122,25 @@ packages: tinyspy: 3.0.2 dev: true - /@vitest/spy@3.0.4: - resolution: {integrity: sha512-sXIMF0oauYyUy2hN49VFTYodzEAu744MmGcPR3ZBsPM20G+1/cSW/n1U+3Yu/zHxX2bIDe1oJASOkml+osTU6Q==} + /@vitest/spy@3.0.5: + resolution: {integrity: sha512-5fOzHj0WbUNqPK6blI/8VzZdkBlQLnT25knX0r4dbZI9qoZDf3qAdjoMmDcLG5A83W6oUUFJgUd0EYBc2P5xqg==} dependencies: tinyspy: 3.0.2 dev: true - /@vitest/ui@3.0.4(vitest@3.0.4): - resolution: {integrity: sha512-e+s2F9e9FUURkZ5aFIe1Fi3Y8M7UF6gEuShcaV/ur7y/Ldri+1tzWQ1TJq9Vas42NXnXvCAIrU39Z4U2RyET6g==} + /@vitest/ui@3.0.5(vitest@3.0.5): + resolution: {integrity: sha512-gw2noso6WI+2PeMVCZFntdATS6xl9qhQcbhkPQ9sOmx/Xn0f4Bx4KDSbD90jpJPF0l5wOzSoGCmKyVR3W612mg==} peerDependencies: - vitest: 3.0.4 + vitest: 3.0.5 dependencies: - '@vitest/utils': 3.0.4 + '@vitest/utils': 3.0.5 fflate: 0.8.2 flatted: 3.3.2 pathe: 2.0.2 sirv: 3.0.0 tinyglobby: 0.2.10 tinyrainbow: 2.0.0 - vitest: 3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1) + vitest: 3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1) dev: true /@vitest/utils@2.0.5: @@ -5160,10 +5160,10 @@ packages: tinyrainbow: 1.2.0 dev: true - /@vitest/utils@3.0.4: - resolution: {integrity: sha512-8BqC1ksYsHtbWH+DfpOAKrFw3jl3Uf9J7yeFh85Pz52IWuh1hBBtyfEbRNNZNjl8H8A5yMLH9/t+k7HIKzQcZQ==} + /@vitest/utils@3.0.5: + resolution: {integrity: sha512-N9AX0NUoUtVwKwy21JtwzaqR5L5R5A99GAbrHfCCXK1lp593i/3AZAXhSP43wRQuxYsflrdzEfXZFo1reR1Nkg==} dependencies: - '@vitest/pretty-format': 3.0.4 + '@vitest/pretty-format': 3.0.5 loupe: 3.1.2 tinyrainbow: 2.0.0 dev: true @@ -7888,7 +7888,7 @@ packages: - typescript dev: true - /eslint-plugin-vitest@0.5.4(eslint@9.19.0)(typescript@5.7.2)(vitest@3.0.4): + /eslint-plugin-vitest@0.5.4(eslint@9.19.0)(typescript@5.7.2)(vitest@3.0.5): resolution: {integrity: sha512-um+odCkccAHU53WdKAw39MY61+1x990uXjSPguUCq3VcEHdqJrOb8OTMrbYlY6f9jAKx7x98kLVlIe3RJeJqoQ==} engines: {node: ^18.0.0 || >= 20.0.0} peerDependencies: @@ -7903,7 +7903,7 @@ packages: dependencies: '@typescript-eslint/utils': 7.18.0(eslint@9.19.0)(typescript@5.7.2) eslint: 9.19.0 - vitest: 3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1) + vitest: 3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1) transitivePeerDependencies: - supports-color - typescript @@ -14434,8 +14434,8 @@ packages: extsprintf: 1.3.0 dev: true - /vite-node@3.0.4(@types/node@22.9.0): - resolution: {integrity: sha512-7JZKEzcYV2Nx3u6rlvN8qdo3QV7Fxyt6hx+CCKz9fbWxdX5IvUOmTWEAxMrWxaiSf7CKGLJQ5rFu8prb/jBjOA==} + /vite-node@3.0.5(@types/node@22.9.0): + resolution: {integrity: sha512-02JEJl7SbtwSDJdYS537nU6l+ktdvcREfLksk/NDAqtdKWGqHl+joXzEubHROmS3E6pip+Xgu2tFezMu75jH7A==} engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true dependencies: @@ -14517,16 +14517,16 @@ packages: fsevents: 2.3.3 dev: true - /vitest@3.0.4(@types/node@22.9.0)(@vitest/ui@3.0.4)(jsdom@25.0.1): - resolution: {integrity: sha512-6XG8oTKy2gnJIFTHP6LD7ExFeNLxiTkK3CfMvT7IfR8IN+BYICCf0lXUQmX7i7JoxUP8QmeP4mTnWXgflu4yjw==} + /vitest@3.0.5(@types/node@22.9.0)(@vitest/ui@3.0.5)(jsdom@25.0.1): + resolution: {integrity: sha512-4dof+HvqONw9bvsYxtkfUp2uHsTN9bV2CZIi1pWgoFpL1Lld8LA1ka9q/ONSsoScAKG7NVGf2stJTI7XRkXb2Q==} engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0} hasBin: true peerDependencies: '@edge-runtime/vm': '*' '@types/debug': ^4.1.12 '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0 - '@vitest/browser': 3.0.4 - '@vitest/ui': 3.0.4 + '@vitest/browser': 3.0.5 + '@vitest/ui': 3.0.5 happy-dom: '*' jsdom: '*' peerDependenciesMeta: @@ -14546,14 +14546,14 @@ packages: optional: true dependencies: '@types/node': 22.9.0 - '@vitest/expect': 3.0.4 - '@vitest/mocker': 3.0.4(vite@6.0.11) - '@vitest/pretty-format': 3.0.4 - '@vitest/runner': 3.0.4 - '@vitest/snapshot': 3.0.4 - '@vitest/spy': 3.0.4 - '@vitest/ui': 3.0.4(vitest@3.0.4) - '@vitest/utils': 3.0.4 + '@vitest/expect': 3.0.5 + '@vitest/mocker': 3.0.5(vite@6.0.11) + '@vitest/pretty-format': 3.0.5 + '@vitest/runner': 3.0.5 + '@vitest/snapshot': 3.0.5 + '@vitest/spy': 3.0.5 + '@vitest/ui': 3.0.5(vitest@3.0.5) + '@vitest/utils': 3.0.5 chai: 5.1.2 debug: 4.4.0(supports-color@8.1.1) expect-type: 1.1.0 @@ -14566,7 +14566,7 @@ packages: tinypool: 1.0.2 tinyrainbow: 2.0.0 vite: 6.0.11(@types/node@22.9.0) - vite-node: 3.0.4(@types/node@22.9.0) + vite-node: 3.0.5(@types/node@22.9.0) why-is-node-running: 2.3.0 transitivePeerDependencies: - jiti
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pc47-g7gv-4gpwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-57082ghsaADVISORY
- gist.github.com/tariqhawis/708e518de0c3b5af7430ec774f68f315nvdWEB
- github.com/rpldy/react-uploady/commit/386e0a80c428eb988e89fd2acf9bb0b786ac8028ghsaWEB
- github.com/rpldy/react-uploady/releases/tag/v1.9.1ghsaWEB
News mentions
0No linked articles in our index yet.