CVE-2022-29823 - Feathers - Query “__proto__” is converted to real prototype
CVE | CVE-2022-29823 |
Case | DIVD-2022-00020 |
Discovered by |
|
Credits |
|
Products |
Feather js:
|
Versions |
Feather js:
|
Page author | Victor Pasman |
CVSS | Base score: 10 |
References | |
Last modified | 25 Oct 2022 19:13 |
Description
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
JSON version