CVE-2022-25948
Summary
| CVE | CVE-2022-25948 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-12-22 05:15:00 UTC |
| Updated | 2022-12-30 22:00:00 UTC |
| Description | The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| leaking JS prototype getter functions in evaluation (eg, .length) · Issue #454 · harttle/liquidjs · GitHub | CONFIRM | github.com | |
| Information Exposure in liquidjs | CVE-2022-25948 | Snyk | CONFIRM | security.snyk.io | |
| feat: `ownPropertyOnly` option to protect prototype, #454 · harttle/liquidjs@7e99efc · GitHub | CONFIRM | github.com | |
| Google Groups | CONFIRM | groups.google.com | |
| refactor: change `ownPropertyOnly` default value to `true` · harttle/liquidjs@7eb6216 · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: amit777
There are currently no legacy QID mappings associated with this CVE.